Apache James Server is configured by default to avoid being an SMTP open-relay.
SMTP Auth and "Verify Identity" options are enabled when you install James (read more).
SMTP outgoing traffic can be transmitted via SSL by default. Check RemoteDelivery documentation for further explanations.
Apache James Server supports SSL/TLS (read more).
Apache James Server supports different user storage (read more).
Apache James distribution prior to release 3.7.4 allows privilege escalation through the use of JMX.
Severity: Moderate
Mitigation:We recommend turning on authentication on. If the CLI is unused we recommend turning JMX off.
Release 3.7.4 set up implicitly JMX authentication for Guice based products and addresses the underlying JMX exploits.
Upgrading to Apache James 3.7.4 is thus advised.
Apache James distribution prior to release 3.7.3 is vulnerable to a temporary File Information Disclosure.
Severity: Moderate
Mitigation: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.
Apache James distribution prior to release 3.7.3 is vulnerable to a buffering attack relying on the use of the STARTTLS command.
Fix of CVE-2021-38542, which solved similar problem from Apache James 3.6.1, is subject to a parser differential and do not take into account concurrent requests.
Severity: Moderate
Mitigation: We recommend to upgrade to Apache James 3.7.3 or higher, which fixes this vulnerability.
Apache James Spring distribution prior to release 3.6.1 is vulnerable to attacks leveraging Log4Shell. This can be leveraged to conduct remote code execution with only SMTP access.
Severity: High
Mitigation: We recommend to upgrade to Apache James 3.6.1 or higher, which fixes this vulnerability.
Note: Guice distributions are not affected.
Apache James prior to release 3.6.1 is vulnerable to a buffering attack relying on the use of the STARTTLS command. This can result in Man-in -the-middle command injection attacks, leading potentially to leakage of sensible information.
Severity: Moderate
This issue is being tracked as JAMES-1862
Mitigation: We recommend to upgrade to Apache James 3.6.1, which fixes this vulnerability.
Furthermore, we recommend, if possible to dis-activate STARTTLS and rely solely on explicit TLS for mail protocols, including SMTP, IMAP and POP3.
Read more about STARTTLS security here.
Using Jazzer fuzzer, we identified that an IMAP user can craft IMAP LIST commands to orchestrate a Denial Of Service using a vulnerable Regular expression. This affected Apache James prior to 3.6.1
Severity: Moderate
This issue is being tracked as JAMES-3635
Mitigation: We recommend to upgrade to Apache James 3.6.1, which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
While fuzzing with Jazzer the IMAP parsing stack we discover that crafted APPEND and STATUS IMAP command could be used to trigger infinite loops resulting in expensive CPU computations and OutOfMemory exceptions. This can be used for a Denial Of Service attack. The IMAP user needs to be authenticated to exploit this vulnerability. This affected Apache James prior to version 3.6.1.
Severity: Moderate
This issue is being tracked as JAMES-3634
Mitigation: We recommend to upgrade to Apache James 3.6.1, which enforce the use of RE2J regular expression engine to execute regex in linear time without back-tracking.
Apache James ManagedSieve implementation alongside with the file storage for sieve scripts is vulnerable to path traversal, allowing reading and writing any file.
Severity: Moderate
This issue is being tracked as JAMES-3646
Mitigation:This vulnerability had been patched in Apache
James 3.6.1 and higher. We recommend the upgrade.
This could also be mitigated by ensuring manageSieve is disabled, which is the case by default.
Distributed and Cassandra based products are also not impacted.
The Apache James Server prior version 3.0.1 is vulnerable to Java deserialization issues.
One can use this for privilege escalation.
This issue can be mitigated by:
Read more here.