{"vuid":"VU#495476","idnumber":"495476","name":"Openfire contains an uncontrolled resource consumption vulnerability","keywords":["cwe-400","openfire","memory","resource","exhaustion","xmpp","deflate","compression"],"overview":"Openfire 3.9.1, and possibly earlier versions, contains an uncontrolled resource consumption (CWE-400) vulnerability when using XMPP DEFLATE message compression.","clean_desc":"Openfire 3.9.1, and possibly earlier versions, contains an uncontrolled resource consumption (CWE-400) vulnerability when using XMPP DEFLATE message compression. It has been reported that a highly compressed XMPP message of 4MB that uncompresses to 4GB may cause a resource exhaustion denial of service. The highly compressed XMPP messages may be sent in parallel to enhance the denial of service.","impact":"A remote unauthenticated attacker may be able to cause a denial-of-service condition.","resolution":"We are currently unaware of a practical solution to this problem. A fix is available in the development branch of Openfire but a stable release is not available yet. Please consider the following workarounds.","workarounds":"Restrict Network Access As a general good security practice, only allow connections from trusted hosts and networks if possible. Restricting access would prevent an attacker from connecting to the service from a blocked network location. Disable XMPP Compression Navigate to the menu Server -> Server Settings -> Compression Settings -> Client Compression Policy and check the option Not Available - Clients will not receive the option to use compressed traffic.","sysaffected":"","thanks":"Thanks to Giancarlo Pellegrino for reporting this vulnerability.","author":"This document was written by Jared Allar.","public":["https://cwe.mitre.org/data/definitions/400.html","http://www.igniterealtime.org/projects/openfire/","http://community.igniterealtime.org/thread/52317","http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396fe946766bbd3758af77","http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-with-highly-compressed-xmpp-stanzas/"],"cveids":["CVE-2014-2741"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2014-02-19T19:06:50Z","publicdate":"2014-04-16T00:00:00Z","datefirstpublished":"2014-04-16T21:21:59Z","dateupdated":"2014-04-23T18:54:48Z","revision":21,"vrda_d1_directreport":"1","vrda_d1_population":"3","vrda_d1_impact":"3","cam_widelyknown":"0","cam_exploitation":"0","cam_internetinfrastructure":"0","cam_population":"0","cam_impact":"0","cam_easeofexploitation":"0","cam_attackeraccessrequired":"0","cam_scorecurrent":"0","cam_scorecurrentwidelyknown":"0","cam_scorecurrentwidelyknownexploited":"0","ipprotocol":"tcp","cvss_accessvector":"N","cvss_accesscomplexity":"L","cvss_authentication":null,"cvss_confidentialityimpact":"N","cvss_integrityimpact":"N","cvss_availabilityimpact":"C","cvss_exploitablity":null,"cvss_remediationlevel":"W","cvss_reportconfidence":"C","cvss_collateraldamagepotential":"ND","cvss_targetdistribution":"M","cvss_securityrequirementscr":"ND","cvss_securityrequirementsir":"ND","cvss_securityrequirementsar":"ND","cvss_basescore":"7.8","cvss_basevector":"AV:N/AC:L/Au:N/C:N/I:N/A:C","cvss_temporalscore":"7","cvss_environmentalscore":"5.2704127854","cvss_environmentalvector":"CDP:ND/TD:M/CR:ND/IR:ND/AR:ND","metric":0.0,"vulnote":null}