CVE-2016-10027
https://notcve.org/view.php?id=CVE-2016-10027
Race condition in the XMPP library in Smack before 4.1.9, when the SecurityMode.required TLS setting has been set, allows man-in-the-middle attackers to bypass TLS protections and trigger use of cleartext for client authentication by stripping the "starttls" feature from a server response. Condición de carrera en la librería XMPP en Smack en versiones anteriores a 4.1.9, cuando se ha establecido la configuración TLS SecurityMode.required, permite a atacantes man-in-the-middle eludir las protecciones TLS y desencadenar el uso de texto plano para la autenticación del cliente eliminando la función "starttls" de una respuesta del servidor. • http://www.openwall.com/lists/oss-security/2016/12/22/12 http://www.securityfocus.com/bid/95129 https://community.igniterealtime.org/blogs/ignite/2016/11/22/smack-security-advisory-2016-11-22 https://github.com/igniterealtime/Smack/commit/059ee99ba0d5ff7758829acf5a9aeede09ec820b https://github.com/igniterealtime/Smack/commit/a9d5cd4a611f47123f9561bc5a81a4555fe7cb04 https://issues.igniterealtime.org/projects/SMACK/issues/SMACK-739 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2014-5075 – smack: MitM vulnerability
https://notcve.org/view.php?id=CVE-2014-5075
The Ignite Realtime Smack XMPP API 4.x before 4.0.2, and 3.x and 2.x when a custom SSLContext is used, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. La API Ignite Realtime Smack XMPP 4.x anterior a 4.0.2, y 3.x y 2.x cuando se utiliza un SSLContext personalizado, no verifica que el nombre del servidor coincide con un nombre de dominio en el campo de asunto Common Name (CN) o subjectAltName del certificado X.509, lo que permite a atacantes man-in-the-middle suplantar los servidores SSL a través de un certificado válido arbitrario. It was found that SSLSocket in Smack did not perform hostname verification. An attacker could redirect traffic between an application and an XMPP server by providing a valid certificate for a domain under the attacker's control. • http://op-co.de/CVE-2014-5075.html http://rhn.redhat.com/errata/RHSA-2015-1176.html http://secunia.com/advisories/59915 http://www.securityfocus.com/bid/69064 https://access.redhat.com/security/cve/CVE-2014-5075 https://bugzilla.redhat.com/show_bug.cgi?id=1127276 • CWE-310: Cryptographic Issues •
CVE-2014-0363 – smack: incorrect X.509 certificate validation
https://notcve.org/view.php?id=CVE-2014-0363
The ServerTrustManager component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify basicConstraints and nameConstraints in X.509 certificate chains from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate chain. El componente ServerTrustManager en la API Ignite Realtime Smack XMPP anterior a 4.0.0-rc1 no verifica las extensiones basicConstraints y nameConstraints en cadenas de certificados X.509 de servidores SSL, lo que permite a un atacante ealizar un ataque man-in-the-middle, falsificar servidores y obtener información sensible a través de una cadena de certificados manipulados. It was found that the ServerTrustManager in the Smack XMPP API did not verify basicConstraints and nameConstraints in X.509 certificate chains. A man-in-the-middle attacker could use this flaw to spoof servers and obtain sensitive information. • http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released http://issues.igniterealtime.org/browse/SMACK-410 http://rhn.redhat.com/errata/RHSA-2015-1176.html http://secunia.com/advisories/59290 http://secunia.com/advisories/59291 http://www.kb.cert.org/vuls/id/489228 http://www.securityfocus.com/bid/67119 https://access.redhat.com/security/cve/CVE-2014-0363 https://bugzilla.redhat.com/show_bug.cgi?id=1093273 • CWE-295: Improper Certificate Validation •
CVE-2014-0364 – smack: IQ response spoofing
https://notcve.org/view.php?id=CVE-2014-0364
The ParseRoster component in the Ignite Realtime Smack XMPP API before 4.0.0-rc1 does not verify the from attribute of a roster-query IQ stanza, which allows remote attackers to spoof IQ responses via a crafted attribute. El componente ParseRoster en la API Ignite Realtime Smack XMPP anterior a 4.0.0-rc1 no verifica el atributo from de la cadena roster-query IQ, lo que permite a atacantes remotos falsificar respuestas IQ a través de un atributo manipulado. It was found that the ParseRoster component in the Smack XMPP API did not verify the From attribute of a roster-query IQ stanza. A remote attacker could use this flaw to spoof IQ responses. • http://community.igniterealtime.org/blogs/ignite/2014/04/17/asmack-400-rc1-has-been-released http://rhn.redhat.com/errata/RHSA-2015-1176.html http://secunia.com/advisories/59290 http://secunia.com/advisories/59291 http://www.kb.cert.org/vuls/id/489228 http://www.securityfocus.com/bid/67124 https://access.redhat.com/security/cve/CVE-2014-0364 https://bugzilla.redhat.com/show_bug.cgi?id=1093276 • CWE-345: Insufficient Verification of Data Authenticity •