CVE-2024-37358 – Apache James email servers are vulnerable to de... (How to Fix)

Q: What is the severity of CVE-2024-37358?

CVE-2024-37358 has a CVSS score of 8.6 (HIGH). Apache James email servers are vulnerable to denial of service attacks where attackers can abuse IMAP literals to cause unbounded memory allocation and excessive computations. This affects both authenticated and unauthenticated users, potentially crashing or severely degrading server performance. Organizations running vulnerable Apache James versions are at risk.

📋 TL;DR

Apache James email servers are vulnerable to denial of service attacks where attackers can abuse IMAP literals to cause unbounded memory allocation and excessive computations. This affects both authenticated and unauthenticated users, potentially crashing or severely degrading server performance. Organizations running vulnerable Apache James versions are at risk.

💻 Affected Systems

Products:

Apache James

Versions: All versions before 3.7.6 and 3.8.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both authenticated and unauthenticated IMAP access

📦 What is this software?

James Server by Apache

View all CVEs affecting James Server →

James Server by Apache

View all CVEs affecting James Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage through resource exhaustion, making the email server unavailable to all users.

🟠

Likely Case

Severe performance degradation leading to service disruption and potential data loss for email services.

🟢

If Mitigated

Minimal impact with proper network controls and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Similar to CVE-2024-34055, requires IMAP access but no authentication needed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.7.6 or 3.8.2

Vendor Advisory: https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Download Apache James 3.7.6 or 3.8.2 from official Apache repository. 3. Stop the James service. 4. Replace the James installation with the patched version. 5. Restart the James service. 6. Verify service functionality.

🔧 Temporary Workarounds

Restrict IMAP Access

all

Limit IMAP access to trusted networks only using firewall rules

Rate Limit IMAP Connections

all

Implement connection rate limiting at network or application level

🧯 If You Can't Patch

Implement strict network segmentation to isolate Apache James servers
Deploy web application firewall with IMAP protocol inspection capabilities

🔍 How to Verify

Check if Vulnerable:

Check Apache James version - if below 3.7.6 or 3.8.2, system is vulnerable

Check Version:

java -jar james-server.jar --version

Verify Fix Applied:

Verify version is 3.7.6 or 3.8.2 and test IMAP functionality

📡 Detection & Monitoring

Log Indicators:

Unusually large IMAP literal requests
Memory allocation errors
High CPU usage from IMAP processes

Network Indicators:

Multiple IMAP connections with large payloads
Abnormal IMAP command sequences

SIEM Query:

source="apache_james" AND (message="*IMAP*" OR message="*literal*") AND (message="*memory*" OR message="*allocation*")

📊 Metadata

CVE ID: CVE-2024-37358

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

CWE: CWE-770

EPSS Score: 3.04% exploit probability (86.4th percentile)

Published: February 6, 2025

Last Updated: September 29, 2025

🔗 References

https://lists.apache.org/thread/1pxsh11v5s3fkvhnqvkmlqwt3fgpcrqc Mailing List,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37358, you might also want to check these: