Lucene search

HistoryAug 11, 2014 - 12:00 a.m.

CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java






CVE-2014-5075 MitM Vulnerability in the Smack XMPP Library for Java

Smack <; is an Open Source
XMPP (Jabber) client library for instant messaging and presence written
in Java. Smack prior to version 4.0.2 is vulnerable to TLS
Man-in-the-Middle attacks, as it fails to check if the server
certificate matches the hostname of the connection.

Affected versions

  • Smack 4.0.0 and 4.0.1 are vulnerable.
  • Smack 2.x and 3.x are vulnerable if a custom `SSLContext` is
    supplied via `connectionConfiguration.setCustomSSLContext()`.


Smack is using Java's `SSLSocket`, which checks the peer certificate
using an `X509TrustManager`, but does not perform hostname verification.
Therefore, it is possible to redirect the traffic between a Smack-using
application and a legitimate XMPP server through the attacker's server,
merely by providing a valid certificate for a domain under the
attacker's control.

In Smack versions 2.2.0 to 3.4.1, a custom `ServerTrustManager`
implementation was used, which was supplied with the connection's server
name, and performed hostname verification. However, it failed to verify
the basicConstraints and nameConstraints of the certificate chain
and has been removed in Smack 4.0.0.

Applications using Smack 2.2.0 to 3.4.1 with a custom `TrustManager` did
not benefit from `ServerTrustManager` and are vulnerable as well, unless
their own `TrustManager` implementation explicitly performs hostname


Users of the Smack library are advised to upgrade to Smack 4.0.2, and
then use `connectionConfiguration.setHostnameVerifier()` with a
reasonable `HostnameVerifier` implementation. A proper hostname verifier
MUST be configured to close the vulnerability.

For Smack 3.x users, a backported commit has been created:

Here, a `HostnameVerifier` implementation needs to be
supplied via `connectionConfiguration.setHostnameVerifier()` as well.

When using the official JRE, the internal class
`` can be wrapped as described

If Apache's HttpClient library is available, its `StrictHostnameVerifier` can
be used.

On Android, MemorizingTrustManager provides both certificate checking and
hostname verification with interactive fallback, allowing the user to decide
about the trustworthiness of a server:

Affected Applications

Smack is a library used by different applications. Therefore, the
authors of the following Smack-based applications have been contacted to
coordinate updated releases:

  • ChatSecure (fixed in 13.2.0-beta1)
  • GTalkSMS (contacted on 2014-07-28)
  • MAXS (fixed in
  • yaxim and Bruno (fixed in 0.8.8)
  • undisclosed Android application (contacted on 2014-07-21)

The following Smack-based applications were not affected:

  • TransVerse (special interest client)
  • Xabber (using a custom `TrustManager` performing hostname verification)


  • 2014-07-20 Discovery of Smack vulnerability, notification of Smack
  • 2014-07-21 Notification of vulnerable apps' authors
  • 2014-07-27 Release of Smack 4.0.2
  • 2014-08-01 Release of MAXS
  • 2014-08-04 Release of yaxim 0.8.8
  • 2014-08-05 Release of ChatSecure 13.2.0 beta 1
  • 2014-08-05 Publication of this advisory


Online version of advisory:

PDF version:

– Dr. Georg Lukas GmbH Oberlander Ufer 190a D-50968 Koln Tel. : (+49)221 93724 0 Fax : (+49)221 93724 50 Mobil: (+49)179 4176591 Web :