Snikket Server - 2022-01-13 security release

A security flaw has been found and fixed in a core component of the Snikket server software, Prosody. A fix has been released today, and it is recommended that everyone upgrades as soon as possible to receive the fix.

The flaw would allow an attacker to trigger the Snikket server to consume extreme amounts of resources (CPU and RAM), resulting in a denial of service.

Upgrading

You can find instructions for upgrading to the latest release in our upgrade guide.

If you are a Snikket hosting customer, you will receive an email with information about upgrading your instance.

Questions

What is a “Denial of Service” attack?

A “Denial of Service” attack (DoS) is any attack that causes an internet service (such as Snikket) to become unavailable to its users, i.e. unable to handle requests. In Snikket’s case, this means users would be temporarily unable to exchange messages, make calls, or share media and files.

Is any data at risk?

This flaw does not expose any data to the attacker. It simply causes Snikket to consume large amounts of memory and stop responding.

What is the impact of this issue?

Snikket may use large amounts of CPU and RAM while trying to handle traffic that has been specially crafted by an attacker to trigger this flaw. If Snikket is running on a server alongside other services, Snikket’s excessive use of resources may negatively impact those services as well.

How was this issue discovered?

The issue was discovered by the Prosody development team during a review of the code. It is not known to have been actively exploited by anyone. However, now that the fix has been published, it may bring more attention to the flaw. It is recommended that you upgrade as soon as possible.

What other changes are in this release?

This security release only contains changes that fix the security issue. No features or other fixes have been introduced in this release.

Is there a workaround?

If you cannot upgrade immediately, you can run the following command in your Snikket directory (where docker-compose.yml is located) to disable WebSocket support temporarily:

docker-compose exec -it snikket prosodyctl shell module unload websocket

WebSockets are enabled by default, but not used by any of the official clients; they are only needed for Web-based clients. Web-based clients should in addition be able to (be configured to) fall back to the unaffected BOSH endpoint.

Note that the above workaround is temporary - it will be reset if you restart Snikket for any reason. It is recommended to upgrade Snikket to achieve a permanent fix.

How can I tell if my version is affected?

The fix has been released in ‘beta.20220113’.

To check your version, log in to the Snikket web portal with your admin account. Then click on the “Snikket service” text at the bottom of the page. View the section “Software Versions” and ensure that the ‘Prosody’ component reports Snikket test 48-3d061. If you see 0.dev, 37-e5d49 or any number lower than 48 then your Snikket is not up to date yet. Follow the upgrade guide.

Further information

If you have any questions or concerns about this release, you can join the Snikket community chat or contact us directly.

References

• Original Prosody advisory