Executive Summary
Summary | |
---|---|
Title | ejabberd: Multiple Denial of Service vulnerabilities |
Informations | |||
---|---|---|---|
Name | GLSA-201206-10 | First vendor Publication | 2012-06-21 |
Vendor | Gentoo | Last vendor Modification | 2012-06-21 |
Severity (Vendor) | Normal | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:P) | |||
---|---|---|---|
Cvss Base Score | 5 | Attack Range | Network |
Cvss Impact Score | 2.9 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Synopsis Multiple vulnerabilities have been found in ejabberd, the worst of which allowing for remote Denial of Service. Background Description Impact Workaround Resolution References Availability http://security.gentoo.org/glsa/glsa-201206-10.xml |
Original Source
Url : http://security.gentoo.org/glsa/glsa-201206-10.xml |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
67 % | CWE-399 | Resource Management Errors |
33 % | CWE-20 | Improper Input Validation |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:12946 | |||
Oval ID: | oval:org.mitre.oval:def:12946 | ||
Title: | DSA-2248-1 ejabberd -- denial of service | ||
Description: | Wouter Coekaerts discovered that ejabberd, a distributed XMPP/Jabber server written in Erlang, is vulnerable to the so-called "billion laughs" attack because it does not prevent entity expansion on received data. This allows an attacker to perform denial of service attacks against the service by sending specially crafted XML data to it. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2248-1 CVE-2011-1753 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 Debian GNU/Linux 6.0 Debian GNU/kFreeBSD 6.0 | Product(s): | ejabberd |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:13558 | |||
Oval ID: | oval:org.mitre.oval:def:13558 | ||
Title: | DSA-2033-1 ejabberd -- heap overflow | ||
Description: | It was discovered that in ejabberd, a distributed XMPP/Jabber server written in Erlang, a problem in ejabberd_c2s.erl allows remote authenticated users to cause a denial of service by sending a large number of c2s messages; that triggers an overload of the queue, which in turn causes a crash of the ejabberd daemon. For the stable distribution, this problem has been fixed in version 2.0.1-6+lenny2. For the testing distribution, this problem has been fixed in version 2.1.2-2. For the testing distribution, this problem has been fixed in version 2.1.2-2. We recommend that you upgrade your ejabberd packages. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2033-1 CVE-2010-0305 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | ejabberd |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:7590 | |||
Oval ID: | oval:org.mitre.oval:def:7590 | ||
Title: | DSA-2033 ejabberd -- heap overflow | ||
Description: | It was discovered that in ejabberd, a distributed XMPP/Jabber server written in Erlang, a problem in ejabberd_c2s.erl allows remote authenticated users to cause a denial of service by sending a large number of c2s messages; that triggers an overload of the queue, which in turn causes a crash of the ejabberd daemon. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-2033 CVE-2010-0305 | Version: | 5 |
Platform(s): | Debian GNU/Linux 5.0 | Product(s): | ejabberd |
Definition Synopsis: | |||
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2012-08-10 | Name : Gentoo Security Advisory GLSA 201206-10 (ejabberd) File : nvt/glsa_201206_10.nasl |
2012-04-02 | Name : Fedora Update for ejabberd FEDORA-2011-16281 File : nvt/gb_fedora_2011_16281_ejabberd_fc16.nasl |
2011-12-20 | Name : ejabberd 'mod_pubsub' Module Denial of Service Vulnerability File : nvt/gb_ejabberd_50737.nasl |
2011-12-19 | Name : Fedora Update for ejabberd FEDORA-2011-16282 File : nvt/gb_fedora_2011_16282_ejabberd_fc15.nasl |
2011-08-03 | Name : Debian Security Advisory DSA 2248-1 (ejabberd) File : nvt/deb_2248_1.nasl |
2011-08-03 | Name : FreeBSD Ports: ejabberd File : nvt/freebsd_ejabberd1.nasl |
2011-07-12 | Name : Fedora Update for ejabberd FEDORA-2011-8415 File : nvt/gb_fedora_2011_8415_ejabberd_fc15.nasl |
2011-07-08 | Name : Fedora Update for ejabberd FEDORA-2011-8437 File : nvt/gb_fedora_2011_8437_ejabberd_fc14.nasl |
2011-06-24 | Name : ejabberd XML Parsing Denial of Service Vulnerability (Windows) File : nvt/secpod_ejabberd_dos_vuln_win.nasl |
2010-04-21 | Name : Debian Security Advisory DSA 2033-1 (ejabberd) File : nvt/deb_2033_1.nasl |
2010-04-21 | Name : FreeBSD Ports: ejabberd File : nvt/freebsd_ejabberd0.nasl |
2010-02-08 | Name : ejabberd 'client2server' Message Remote Denial of Service Vulnerability File : nvt/ejabberd_38003.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
77302 | ejabberd mod_pubsub Module <publish> Stanza Parsing Remote DoS |
73170 | ejabberd Entity Expansion Recursion XML Nested Entity Handling DoS ejabberd fails to properly detect recursion during entity expansion, allowing a context-dependent attacker to use a crafted XML document to cause a denial of service. |
62066 | ejabberd ejabberd_c2s.erl c2s Message Saturation Remote DoS |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2015-01-19 | Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_ejabberd_20140731.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2011-0881.nasl - Type : ACT_GATHER_INFO |
2013-01-24 | Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2011-0882.nasl - Type : ACT_GATHER_INFO |
2012-06-22 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201206-10.nasl - Type : ACT_GATHER_INFO |
2011-12-19 | Name : The remote Fedora host is missing a security update. File : fedora_2011-16281.nasl - Type : ACT_GATHER_INFO |
2011-12-19 | Name : The remote Fedora host is missing a security update. File : fedora_2011-16282.nasl - Type : ACT_GATHER_INFO |
2011-06-30 | Name : The remote Fedora host is missing a security update. File : fedora_2011-8415.nasl - Type : ACT_GATHER_INFO |
2011-06-30 | Name : The remote Fedora host is missing a security update. File : fedora_2011-8437.nasl - Type : ACT_GATHER_INFO |
2011-06-27 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_01d3ab7d9c4311e0bc0f0014a5e3cda6.nasl - Type : ACT_GATHER_INFO |
2011-06-10 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2248.nasl - Type : ACT_GATHER_INFO |
2010-04-20 | Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_a04a3c13493211df83fb0015587e2cc1.nasl - Type : ACT_GATHER_INFO |
2010-04-16 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-2033.nasl - Type : ACT_GATHER_INFO |
Alert History
Date | Informations |
---|---|
2014-02-17 11:37:22 |
|