SB2022010404 - Multiple vulnerabilities in Apache James

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2021-40111)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop when parsing APPEND and STATUS IMAP commands. A remote user can send  a specially crafted command to the server, consume all available system resources and cause denial of service conditions.

2) Command Injection (CVE-ID: CVE-2021-38542)

The vulnerability allows a remote attacker to inject arbitrary commands.

The vulnerability exists due to incorrect implementation of the STARTTLS command in the IMAP and POP3 servers. A remote attacker with ability to perform MitM attack can inject arbitrary IMAP or POP3 commands before successful initialization of the TLS session and execute these commands after the session was initialized.

3) Path traversal (CVE-ID: CVE-2021-40525)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences within the Sieve file storage implementation. A remote user can send a specially crafted request and read or write arbitrary files on the system.

4) Incorrect Regular Expression (CVE-ID: CVE-2021-40110)

The vulnerability allows a remote user to perform a denial of service attack.

The vulnerability exists due to improper input validation when parsing IMAP LIST commands. A remote user can send a specially crafted IMAP command to the server and perform a regular expression denial of service (ReDoS).

Remediation

Install update from vendor's website.

References

• http://seclists.org/oss-sec/2022/q1/3
• http://seclists.org/oss-sec/2022/q1/1
• http://seclists.org/oss-sec/2022/q1/4
• http://seclists.org/oss-sec/2022/q1/2