Tigase XMPP Server vulnerability to certain DOS attacks fixed
Description
Tigase XMPP Server, versions prior to 5.1.1, are vulnerable to certain DOS attacks on the XMPP stream. Sending specially prepared XML data to the XMPP stream of the Tigase server can cause out of memory error, system overload and eventually the service failure.
Sensitivity
All types of XMPP connections are sensitive to this bug: c2s, s2s and external component connection. The TCP/IP connection does not have to be authenticated to successfully perform the attack.
Solution
A fix for the problem is already in our SVN repository and covers changes in both the Tigase XMPP Server code (tagged as tigase-server-5.1.1) and Tigase XML Tools code (tagged as tigase-xmltools-3.4.2).
Binary packages have been released and published under version number 5.1.2 which also includes some Bosh improvements for multiple HTTP connections with Web client and compatibility with Strophe library.
More details
If you require more details on the attack or explanation how to protect yourself please contact us directly.
Early notifications
We release early notifications about discovered vulnerabilities and security issues about a week to 10 days before public announcement. If you would like to be included in the mailing list for these early notifications please register on our project management website and let us know your account name. I will add you to the mailing list.
Printer-friendly version
Recent comments
47 min 35 sec ago
57 min 42 sec ago
1 hour 16 min ago
2 hours 41 min ago
2 hours 44 min ago
9 hours 33 min ago
1 day 5 hours ago
1 day 5 hours ago
5 days 10 min ago
5 days 1 hour ago