CVE-2022-0217: Prosody remote DOS via websocket - fixed version 0.11.12

Prosody has published a security advisory that all prosody versions prior to 0.11.12 are vulnerable to a remote denial of service attack if XMPP via websockets are enabled: Prosody XMPP server advisory 2022-01-13 (Remote Denial of Service)

As the default jitsi installation has XMPP via websocket enabled to prosody (jitsi-meet/jitsi-meet.example at master · jitsi/jitsi-meet · GitHub), this seems relevant to this community.

Patches / Updates:

If your distro has not patched yet, the patch attached to the advisory can be manually applied as well, citing from the advisory:

  1. Locate prosody/util/xml.lua, eg. /usr/share/lua/5.1/prosody/util/xml.lua
  2. Navigate to the directory containing the xml.lua file and apply the attached patch using patch -p2 < 1.patch .
  3. Now restart Prosody. There is no known-to-be-safe way to reload the util/xml.lua file without a complete Prosody restart.

Alternatively one can install prosody package from upstream: [How to] How do I update Prosody?

5 Likes

FYI: A followup prosody version 0.11.13 was released fixes a memory leak caused by the security fix in 0.11.12. For details, see Prosody 0.11.13 released | Prosodical Thoughts

3 Likes