Cisco Jabber IM for Android Denial of Service Vulnerability

A vulnerability in the XML parser of Cisco Jabber IM for Android could allow an authenticated, remote attacker to prevent the client to connect, causing a denial of service condition.

The vulnerability is due to insufficient validation of crafted Extensible Messaging and Presence Protocol (XMPP) presence update messages, which are received when the client tries to connect to the XMPP Server. An attacker could exploit this vulnerability by sending an Extensible Messaging and Presence Protocol (XMPP) presence update message to the affected client. In order to successfully exploit this vulnerability, the attacker would need to convince the user of affected client to add him to his “Buddy” list.

Cisco has confirmed the vulnerability and software updates are available.

Cisco indicates through the CVSS score that functional exploit code exists; however, the code is not known to be publicly available.

Customers are advised to review the bug report in the vendor announcements section for a current list of affected versions.