Apache James Server is configured by default to avoid being an SMTP open-relay.
SMTP Auth and "Verify Identity" options are enabled when you install James (read more).
SMTP outgoing traffic can be transmitted via SSL by default. Check RemoteDelivery documentation for further explanations.
Apache James Server supports SSL/TLS (read more).
Apache James Server supports different user storage (read more).
Disclaimer: JMX poses several security concerns and had been leveraged to conduct arbitrary code execution.
This threat is mitigated by not allowing remote connections to JMX, setting up authentication and pre-authentication filters.
However, we recommend to either run James in isolation (docker / own virtual machine) or disable JMX altogether.
James JMX endpoint provides command line utilities and exposes a few metrics, also available on the metric endpoint.
Apache James prior to versions 3.8.2 or 3.7.6 allows an attacker to trigger a denial of service by exploiting IMAP literals.
Severity: Moderate
Mitigation: Update to Apache James 3.8.2 or 3.7.6 onward.
Apache James prior to versions 3.8.2 or 3.7.6 allows logged in attacker to trigger a denial of service by exploiting html to text conversion.
Severity: Moderate
Mitigation: Update to Apache James 3.8.2 or 3.7.6 onward.
Apache JAMES MIME4J prior to version 0.8.10 allow attackers able to specify the value of a header field to craft other header fields.
Severity: Moderate
Mitigation: Release 0.8.10 rejects the use of LF inside a header field thus preventing the issue. Upgrading to Apache James MIME4J 0.8.10 is thus advised.
Apache James distribution prior to release 3.7.5 and release 3.8.1 is subject to SMTP smuggling, when used in combination of antother vulnerable server and can result in SPF bypass, leading to email forgery.
Severity: High
Mitigation:
Release 3.7.5 and 3.8.1 interpret strictly the CRLF delimiter and thus prevent the issue.
Upgrading to Apache James 3.7.5 or 3.8.1 is thus advised.
Apache James distribution prior to release 3.7.5 and 3.8.1 allow privilege escalation via JMX pre-authentication deserialisation. An attacker would need to identify a deserialization glitch before triggering an exploit.
Severity: Moderate
Mitigation:We recommend turning off JMX whenever possible.
Release 3.7.5 and 3.8.1 disable deserialization on unauthencited channels.
Upgrading to Apache James 3.7.5 on 3.8.1 is thus advised.
Apache James distribution prior to release 3.7.4 allows privilege escalation through the use of JMX.
Severity: Moderate
Mitigation:We recommend turning on authentication on. If the CLI is unused we recommend turning JMX off.
Release 3.7.4 set up implicitly JMX authentication for Guice based products and addresses the underlying JMX exploits.
Upgrading to Apache James 3.7.4 is thus advised.
Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.
Severity: Moderate
Mitigation: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.
Apache James distribution prior to release 3.7.3 is vulnerable to a buffering attack relying on the use of the STARTTLS command.
Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
Severity: Moderate
Mitigation: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.
Apache James Spring distribution prior to release 3.6.1 is vulnerable to attacks leveraging Log4Shell. This can be leveraged to conduct remote code execution with only SMTP access.
Severity: High
Mitigation: We recommend to upgrade to Apache James 3.6.1 or higher, which fixes this vulnerability.
Note: Guice distributions are not affected.
Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.
Severity: Moderate
This issue is being tracked as JAMES-1862
Mitigation: We recommend to upgrade to Apache James 3.6.1, which fixes this vulnerability.
Furthermore, we recommend, if possible to dis-activate STARTTLS and rely solely on explicit TLS for mail protocols, including SMTP, IMAP and POP3.
Read more about STARTTLS security here.
Using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1
Severity: Moderate
This issue is being tracked as JAMES-3635
Mitigation: We recommend to upgrade to Apache James 3.6.1, which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
While fuzzing with Jazzer the IMAP parsing stack we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1.
Severity: Moderate
This issue is being tracked as JAMES-3634
Mitigation: We recommend to upgrade to Apache James 3.6.1, which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file.
Severity: Moderate
This issue is being tracked as JAMES-3646
Mitigation:This vulnerability had been patched in Apache
James 3.6.1 and higher. We recommend the upgrade.
This could also be mitigated by ensuring manageSieve is disabled, which is the case by default.
Distributed and Cassandra based products are also not impacted.
The Apache James Server prior version 3.0.1 is vulnerable to Java deserialization issues.
One can use this for privilege escalation.
This issue can be mitigated by:
Read more here.