Tigase XMPP Server vulnerability to certain DOS attacks fixed

Description

Tigase XMPP Server, versions prior to 5.1.1, are vulnerable to certain DOS attacks on the XMPP stream. Sending specially prepared XML data to the XMPP stream of the Tigase server can cause out of memory error, system overload and eventually the service failure.

Sensitivity

All types of XMPP connections are sensitive to this bug: c2s, s2s and external component connection. The TCP/IP connection does not have to be authenticated to successfully perform the attack.

Solution

A fix for the problem is already in our SVN repository and covers changes in both the Tigase XMPP Server code (tagged as tigase-server-5.1.1) and Tigase XML Tools code (tagged as tigase-xmltools-3.4.2).

Binary packages have been released and published under version number 5.1.2 which also includes some Bosh improvements for multiple HTTP connections with Web client and compatibility with Strophe library.

More details

If you require more details on the attack or explanation how to protect yourself please contact us directly.

Early notifications

We release early notifications about discovered vulnerabilities and security issues about a week to 10 days before public announcement. If you would like to be included in the mailing list for these early notifications please register on our project management website and let us know your account name. I will add you to the mailing list.

Article type: 
Application: