src/site/xdoc/server/feature-security.xml

<?xml version="1.0"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one
  or more contributor license agreements.  See the NOTICE file
  distributed with this work for additional information
  regarding copyright ownership.  The ASF licenses this file
  to you under the Apache License, Version 2.0 (the
  "License"); you may not use this file except in compliance
  with the License.  You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing,
  software distributed under the License is distributed on an
  "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  KIND, either express or implied.  See the License for the
  specific language governing permissions and limitations
  under the License.    
-->
<document>

 <properties>
  <title>Apache James Server 3 - Security</title>
 </properties>

<body>

  <section name="SMTP Security">

    <p>Apache James Server is configured by default to avoid being an SMTP open-relay.</p>
    
    <p>SMTP Auth and "Verify Identity" options are enabled when you install James (<a href="config-smtp-lmtp.html">read more</a>).</p>

    <p>SMTP outgoing traffic can be transmitted via SSL by default. Check <a href="https://james.apache.org/server/3/dev-provided-mailets.html#RemoteDelivery">RemoteDelivery</a> documentation for
    further explanations.</p>

  </section>
  
  <section name="Encryption Security">

    <p>Apache James Server supports SSL/TLS (<a href="config-ssl-tls.html">read more</a>).</p>

  </section>
  
  <section name="User Credential Security">

    <p>Apache James Server supports different user storage (<a href="config-users.html">read more</a>).</p>

  </section>

  <section name="JMX">
      <p><b>Disclaimer: </b> JMX poses several security concerns and had been leveraged to conduct arbitrary code execution.
          This threat is mitigated by not allowing remote connections to JMX, setting up authentication and pre-authentication filters.
          However, we recommend to either run James in isolation (docker / own virtual machine) or disable JMX altogether.<br/>
          James JMX endpoint provides command line utilities and exposes a few metrics, also available on the metric endpoint.</p>
  </section>

    <section name="Reported vulnerabilities">
        <subsection name="Reporting vulnerabilities">
            We follow the standard procedures within the ASF regarding
            <a href="https://apache.org/security/committers.html#vulnerability-handling">vulnerability handling</a>.
        </subsection>

        <subsection name="CVE-2024-37358: Denial of service through the use of IMAP literals">
            <p> Apache James prior to versions  3.8.2 or 3.7.6 allows an attacker
                to trigger a denial of service by exploiting IMAP literals.</p>

            <p><b>Severity</b>: Moderate</p>

            <p><b>Mitigation</b>: Update to Apache James 3.8.2 or 3.7.6 onward.</p>
        </subsection>

        <subsection name="CVE-2024-45626: Denial of service through JMAP HTML to text conversion">
            <p> Apache James prior to versions  3.8.2 or 3.7.6 allows logged in attacker
                to trigger a denial of service by exploiting html to text conversion.</p>

            <p><b>Severity</b>: Moderate</p>

            <p><b>Mitigation</b>: Update to Apache James 3.8.2 or 3.7.6 onward.</p>
        </subsection>

        <subsection name="CVE-2024-21742: Mime4J DOM header injection">
            <p> Apache JAMES MIME4J prior to version 0.8.10 allow attackers able to specify the value of a header field to craft other header fields.</p>

            <p><b>Severity</b>: Moderate</p>

            <p><b>Mitigation</b>: Release 0.8.10 rejects the use of LF inside a header field thus preventing the issue.

                Upgrading to Apache James MIME4J 0.8.10 is thus advised.</p>
        </subsection>
        <subsection name="CVE-2023-51747: SMTP smuggling in Apache James">
            <p> Apache James distribution prior to release 3.7.5 and release 3.8.1 is subject to SMTP smuggling, when used in combination
                of antother vulnerable server and can result in SPF bypass, leading to email forgery.</p>

            <p><b>Severity</b>: High</p>

            <p><b>Mitigation</b>:
                Release 3.7.5 and 3.8.1 interpret strictly the CRLF delimiter and thus prevent the issue.<br/>

                Upgrading to Apache James 3.7.5 or 3.8.1 is thus advised.</p>
        </subsection>
        <subsection name="CVE-2023-51518: Privilege escalation via JMX pre-authentication deserialisation">
            <p> Apache James distribution prior to release 3.7.5 and 3.8.1 allow privilege escalation via JMX pre-authentication deserialisation.
                An attacker would need to identify a deserialization glitch before triggering an exploit.</p>

            <p><b>Severity</b>: Moderate</p>

            <p><b>Mitigation</b>:We recommend turning off JMX whenever possible.<br/>

                Release 3.7.5 and 3.8.1 disable deserialization on unauthencited channels.<br/>

                Upgrading to Apache James 3.7.5 on 3.8.1 is thus advised.</p>
        </subsection>
        <subsection name="CVE-2023-26269: Privilege escalation through unauthenticated JMX">
            <p> Apache James distribution prior to release 3.7.4 allows privilege escalation through the use of JMX.</p>

            <p><b>Severity</b>: Moderate</p>

            <p><b>Mitigation</b>:We recommend turning on authentication on. If the CLI is unused we recommend turning JMX off.<br/>

                Release 3.7.4 set up implicitly JMX authentication for Guice based products and addresses the underlying JMX exploits.<br/>

                Upgrading to Apache James 3.7.4 is thus advised.</p>
        </subsection>
        <subsection name="CVE-2022-45935: Temporary File Information Disclosure in Apache JAMES">
            <p>Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.</p>

            <p><b>Severity</b>: Moderate</p>

            <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.</p>
        </subsection>
        <subsection name="CVE-2021-44228: STARTTLS command injection in Apache JAMES">
            <p>Apache James distribution prior to release 3.7.3 is vulnerable to a buffering attack relying on the use of the STARTTLS command.</p>

            <p>Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.</p>

            <p><b>Severity</b>: Moderate</p>

            <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.</p>
        </subsection>
        <subsection name="CVE-2021-44228: Log4Shell">
            <p>Apache James Spring distribution prior to release 3.6.1 is vulnerable to attacks leveraging Log4Shell.
            This can be leveraged to conduct remote code execution with only SMTP access.</p>

            <p><b>Severity</b>: High</p>

            <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.6.1 or higher, which fixes this vulnerability.</p>

            <p>Note: Guice distributions are not affected.</p>
        </subsection>
        <subsection name="CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)">
            <p>Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS
                command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage
                of sensible information.</p>

            <p><b>Severity</b>: Moderate</p>

            <p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-1862">JAMES-1862</a></p>

            <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.6.1, which fixes this vulnerability.</p>

            <p>Furthermore, we recommend, if possible to dis-activate STARTTLS and rely solely on explicit TLS for mail protocols, including SMTP, IMAP and POP3.</p>

            <p>Read more <a href="https://nostarttls.secvuln.info/">about STARTTLS security here</a>.</p>
        </subsection>
        <subsection name="CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS">
            <p>Using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial
                Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1</p>

            <p><b>Severity</b>: Moderate</p>

            <p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3635">JAMES-3635</a></p>

            <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.6.1, which enforce the use of RE2J regular
                expression engine to execute regex in linear time without back-tracking.</p>
        </subsection>
        <subsection name="CVE-2021-40111: Apache James IMAP parsing Denial Of Service">
            <p>While fuzzing with Jazzer the IMAP parsing stack we discover that crafted APPEND and STATUS IMAP command
                could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions.
                This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this
                vulnerability. This affected Apache James prior to version 3.6.1.</p>

            <p><b>Severity</b>: Moderate</p>

            <p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3634">JAMES-3634</a></p>

            <p><b>Mitigation</b>: We recommend to upgrade to Apache James 3.6.1, which enforce the use of RE2J regular
                expression engine to execute regex in linear time without back-tracking.</p>
        </subsection>
        <subsection name="CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks ">
            <p>Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable
                to path traversal, allowing reading and writing any file. </p>

            <p><b>Severity</b>: Moderate</p>

            <p>This issue is being tracked as <a href="https://issues.apache.org/jira/browse/JAMES-3646">JAMES-3646</a></p>

            <p><b>Mitigation</b>:This vulnerability had been patched in Apache
                James 3.6.1 and higher. We recommend the upgrade.<br/><br/>
                This could also be mitigated by ensuring manageSieve is disabled, which is the case by default.<br/><br/>
                Distributed and Cassandra based products are also not impacted.</p>
        </subsection>
        <subsection name="CVE-2017-12628 Priviledge escalation using JMX">
            <p>The Apache James Server prior version 3.0.1 is vulnerable to Java deserialization issues.</p>
            <p>One can use this for privilege escalation.</p>
            <p>This issue can be mitigated by:</p>
            <ul>
                <li>Upgrading to James 3.0.1 onward</li>
                <li>Using a recent JRE (Exploit could not be reproduced on OpenJdk 8 u141)</li>
                <li>Exposing JMX socket only to localhost (default behaviour)</li>
                <li>Possibly running James in a container</li>
                <li>Disabling JMX all-together (Guice only)</li>
            </ul>
            <p>Read more <a href="http://james.apache.org//james/update/2017/10/20/james-3.0.1.html">here</a>.</p>
        </subsection>
    </section>
  
</body>

</document>