search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Openfire contains an uncontrolled resource consumption vulnerability

Vulnerability Note VU#495476

Original Release Date: 2014-04-16 | Last Revised: 2014-04-23

Overview

Openfire 3.9.1, and possibly earlier versions, contains an uncontrolled resource consumption (CWE-400) vulnerability when using XMPP DEFLATE message compression.

Description

Openfire 3.9.1, and possibly earlier versions, contains an uncontrolled resource consumption (CWE-400) vulnerability when using XMPP DEFLATE message compression. It has been reported that a highly compressed XMPP message of 4MB that uncompresses to 4GB may cause a resource exhaustion denial of service. The highly compressed XMPP messages may be sent in parallel to enhance the denial of service.

Impact

A remote unauthenticated attacker may be able to cause a denial-of-service condition.

Solution

We are currently unaware of a practical solution to this problem. A fix is available in the development branch of Openfire but a stable release is not available yet. Please consider the following workarounds.

Restrict Network Access

As a general good security practice, only allow connections from trusted hosts and networks if possible. Restricting access would prevent an attacker from connecting to the service from a blocked network location.

Disable XMPP Compression

Navigate to the menu Server -> Server Settings -> Compression Settings -> Client Compression Policy and check the option Not Available - Clients will not receive the option to use compressed traffic.

Vendor Information

495476
 
Affected   Unknown   Unaffected

Openfire

Notified:  February 25, 2014 Updated:  April 16, 2014

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 7.8 AV:N/AC:L/Au:N/C:N/I:N/A:C
Temporal 7.0 E:F/RL:W/RC:C
Environmental 5.3 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Giancarlo Pellegrino for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs: CVE-2014-2741
Date Public: 2014-04-16
Date First Published: 2014-04-16
Date Last Updated: 2014-04-23 18:54 UTC
Document Revision: 20

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.