CVE-2021-32918 – This vulnerability in Prosody XMPP servers allo... (How to Fix)

Q: What is the severity of CVE-2021-32918?

CVE-2021-32918 has a CVSS score of 7.5 (HIGH). This vulnerability in Prosody XMPP servers allows remote attackers to cause denial-of-service via memory exhaustion without authentication. It affects Prosody servers running under Lua 5.2 or Lua 5.3 with default configurations. The attack can crash the server by exhausting available memory.

📋 TL;DR

This vulnerability in Prosody XMPP servers allows remote attackers to cause denial-of-service via memory exhaustion without authentication. It affects Prosody servers running under Lua 5.2 or Lua 5.3 with default configurations. The attack can crash the server by exhausting available memory.

💻 Affected Systems

Products:

Prosody XMPP Server

Versions: All versions before 0.11.9

Operating Systems: All operating systems running affected Prosody versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when running under Lua 5.2 or Lua 5.3; Lua 5.1 and LuaJIT are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage with Prosody server crashing due to memory exhaustion, potentially affecting all connected XMPP clients and services.

🟠

Likely Case

Service disruption and server crashes requiring manual restart, with potential data loss for in-memory sessions.

🟢

If Mitigated

Minimal impact if patched or workarounds applied; otherwise normal operation unaffected.

🌐 Internet-Facing: HIGH - Remote unauthenticated attacks make internet-facing servers particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal servers are still vulnerable but attack surface is reduced.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is in default settings and requires no authentication, making exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.11.9

Vendor Advisory: https://blog.prosody.im/prosody-0.11.9-released/

Restart Required: Yes

Instructions:

1. Backup configuration and data. 2. Stop Prosody service. 3. Update to Prosody 0.11.9 or later via package manager or source. 4. Restart Prosody service. 5. Verify service is running correctly.

🔧 Temporary Workarounds

Memory limit configuration

all

Configure memory limits in Prosody configuration to limit impact

Edit prosody.cfg.lua and add: memory_limit = "512MB"

Network access restrictions

linux

Restrict access to Prosody ports to trusted networks only

Configure firewall rules to limit access to ports 5222, 5269, 5280, 5281

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to Prosody services
Monitor memory usage closely and implement automated restart scripts for when memory thresholds are exceeded

🔍 How to Verify

Check if Vulnerable:

Check Prosody version and Lua version: prosodyctl about | grep -E 'version|Lua'

Check Version:

prosodyctl about | grep 'version'

Verify Fix Applied:

Verify version is 0.11.9 or later: prosodyctl about | grep 'version'

📡 Detection & Monitoring

Log Indicators:

High memory usage warnings
Process crashes
Out of memory errors in system logs

Network Indicators:

Unusual high-volume connections to XMPP ports
Connection patterns suggesting DoS attempts

SIEM Query:

source="prosody.log" AND ("out of memory" OR "memory limit" OR "killed")

📊 Metadata

CVE ID: CVE-2021-32918

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: May 13, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/05/13/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/14/2 Mailing List,Mitigation,Third Party Advisory
https://blog.prosody.im/prosody-0.11.9-released/ Release Notes,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/
https://security.gentoo.org/glsa/202105-15 Third Party Advisory
https://www.debian.org/security/2021/dsa-4916 Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/13/1 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/14/2 Mailing List,Mitigation,Third Party Advisory
https://blog.prosody.im/prosody-0.11.9-released/ Release Notes,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/
https://security.gentoo.org/glsa/202105-15 Third Party Advisory
https://www.debian.org/security/2021/dsa-4916 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-32918, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Debian Linux by Debian

Fedora by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

Prosody by Prosody

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Memory limit configuration

Network access restrictions

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities