Open-Xchange Security Advisory 2020-08-12

Affected product: Dovecot IMAP server Internal reference: DOP-1849 (Bug ID) Vulnerability type: Uncontrolled recursion (CWE-674) Vulnerable version: 2.0 Vulnerable component: submission, lmtp, lda Fixed version: 2.3.11.3 Report confidence: Confirmed Solution status: Fix available Vendor notification: 2020-04-23 CVE reference: CVE-2020-12100 CVSS: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Vulnerability Details: Receiving mail with deeply nested MIME parts leads to resource exhaustion as Dovecot attempts to parse it.

Risk: Malicious actor can cause denial of service to mail delivery by repeatedly sending mails with bad content.

Workaround: Limit MIME structures in MTA.

Solution: Upgrade to fixed version.

Best regards,

Aki Tuomi Open-Xchange oy