Jabber Gadu-Gadu Transport denial of service

jabber-gadugadu-dos (15319) The risk level is classified as LowLow Risk

Description:

The Jabber Gadu-Gadu Transport (jabber-gg-transport) is vulnerable to a denial of service. Jabber Gadu-Gadu Transport fails to properly import rosters and handle user re-registrations and null <priority/> tags. A remote attacker can use this vulnerability to cause a denial of service.

Platforms Affected:

  • Jacek Konieczny, Jabber Gadu-Gadu Transport 1.2.2

Remedy:

Upgrade to the latest version of Jabber Gadu-Gadu Transport (2.0.8 or later), available from the Jabber Studio Web site. See References.

Consequences:

Denial of Service

References:

  • Jabber Studio Web site, 2.0.8 released at http://www.jabberstudio.org/projects/jabber-gg-transport/news/view.php?id=421.
  • BID-9710: Jabber Software Jabber Gadu-Gadu Transport Multiple Remote Denial Of Service Vulnerabilities
  • CVE-2004-2389: Unknown vulnerability in Jabber Gadu-Gadu Transport (a.k.a. jabber-gg-transport) 2.0.x before 2.0.8 allows remote attackers to cause a denial of service (infinite loop) via user re-registration.
  • CVE-2004-2390: The roster import functionality in Jabber Gadu-Gadu Transport (a.k.a. jabber-gg-transport) 2.0.x before 2.0.8, when using libgadu 1.0 and later, allows attackers to cause a denial of service via unknown vectors.
  • CVE-2004-2391: Jabber Gadu-Gadu Transport (a.k.a. jabber-gg-transport) 2.0.x before 2.0.8 allows remote attackers to cause a denial of service a message with an empty <priority/> tag.
  • OSVDB ID: 4057: jabber-gg-transport Unspecified User Re-registration DoS
  • SA10974: jabber-gg-transport Multiple Denial of Service Vulnerabilities
  • SECTRACK ID: 1009248: Jabber Gadu-Gadu Transport May Let Remote Users Deny Service

Reported:

Feb 25, 2004

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page