Uncontrolled Resource Consumption with Highly-Compressed XMPP messages


Artur Hefczyc TigaseTeam
Added almost 5 years ago

Multiple implementations of XMPP core protocol (RFC 6120) supporting stream compression (XEP-0138) suffer from uncontrolled resource consumption vulnerability (CWE-400). This vulnerability can be remotely exploited by attackers to mount Denial-of-Service attacks by sending highly-compressed XMPP messages.

It has been reported that Tigase is vulnerable and it is possible to exhaust resources in one of cases reported. It is fixed in current snapshot builds of our software and new release 5.2.1, which is going to be released soon will contain fix for this issue as well.

With this fix we introduced a new parameter which can be set in file. Now it is possible to set maximal size of network buffer used for uncompressed data used by particular connection manager using net-buffer-limit parameter. To set this value to 4MB for C2S connection manager you will need to add following line: c2s/net-buffer-limit[I]=4194304 We strongly advice an update of installed versions of Tigase XMPP Server to newly released version.