SMTP Security

Apache James Server is configured by default to avoid being an SMTP open-relay.

SMTP Auth and "Verify Identity" options are enabled when you install James (read more).

SMTP outgoing traffic can be transmitted via SSL by default. Check RemoteDelivery documentation for further explanations.

Encryption Security

Apache James Server supports SSL/TLS (read more).

User Credential Security

Apache James Server supports different user storage (read more).

Reported vulnerabilities

Reporting vulnerabilities

We follow the standard procedures within the ASF regarding vulnerability handling.

CVE-2021-44228: STARTTLS command injection in Apache JAMES

Apache James distribution prior to release 3.7.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command.

Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.

Severity: Moderate

Mitigation: We recommend to upgrade to Apache James 3.7.1 or higher, which fixes this vulnerability.

CVE-2021-44228: Log4Shell

Apache James Spring distribution prior to release 3.6.1 is vulnerable to attacks leveraging Log4Shell. This can be leveraged to conduct remote code execution with only SMTP access.

Severity: High

Mitigation: We recommend to upgrade to Apache James 3.6.1 or higher, which fixes this vulnerability.

Note: Guice distributions are not affected.

CVE-2021-38542: Apache James vulnerable to STARTTLS command injection (IMAP and POP3)

Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.

Severity: Moderate

This issue is being tracked as JAMES-1862

Mitigation: We recommend to upgrade to Apache James 3.6.1, which fixes this vulnerability.

Furthermore, we recommend, if possible to dis-activate STARTTLS and rely solely on explicit TLS for mail protocols, including SMTP, IMAP and POP3.

Read more about STARTTLS security here.

CVE-2021-40110: Apache James IMAP vulnerable to a ReDoS

Using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1

Severity: Moderate

This issue is being tracked as JAMES-3635

Mitigation: We recommend to upgrade to Apache James 3.6.1, which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

CVE-2021-40111: Apache James IMAP parsing Denial Of Service

While fuzzing with Jazzer the IMAP parsing stack we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1.

Severity: Moderate

This issue is being tracked as JAMES-3634

Mitigation: We recommend to upgrade to Apache James 3.6.1, which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.

CVE-2021-40525: Apache James: Sieve file storage vulnerable to path traversal attacks

Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file.

Severity: Moderate

This issue is being tracked as JAMES-3646

Mitigation:This vulnerability had been patched in Apache James 3.6.1 and higher. We recommend the upgrade.

This could also be mitigated by ensuring manageSieve is disabled, which is the case by default.

Distributed and Cassandra based products are also not impacted.

CVE-2017-12628 Priviledge escalation using JMX

The Apache James Server prior version 3.0.1 is vulnerable to Java deserialization issues.

One can use this for privilege escalation.

This issue can be mitigated by:

  • Upgrading to James 3.0.1 onward
  • Using a recent JRE (Exploit could not be reproduced on OpenJdk 8 u141)
  • Exposing JMX socket only to localhost (default behaviour)
  • Possibly running James in a container
  • Disabling JMX all-together (Guice only)

Read more here.