CVE-2021-32918: 
NixOS vulnerability analysis and mitigation

CVE-2021-32918 affects Prosody, an XMPP server, in versions prior to 0.11.9. The vulnerability was discovered and disclosed on May 12, 2021. The default settings in Prosody make it susceptible to remote unauthenticated denial-of-service (DoS) attacks via memory exhaustion when running under Lua 5.2 or Lua 5.3, which is the default and recommended Lua version for Prosody 0.11.x series (Prosody Advisory).

The vulnerability has a CVSS score of 7.0 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C) and is categorized under CWE-400. The issue stems from the garbage collector not freeing unused memory fast enough by default in Lua 5.2 and 5.3, allowing memory usage to grow excessively during certain traffic patterns. Additionally, Prosody ships with extremely permissive stanza size limits (up to 10MB) by default (OSS Security).

When exploited, this vulnerability can lead to a denial-of-service condition through memory exhaustion, potentially affecting the availability of the XMPP server. The default configuration is susceptible to this issue, though configurations with stricter settings for stanza size limits, rate limits, and garbage collection parameters are at decreased risk (OSS Security).

Several mitigation steps are available: 1) Enable more aggressive garbage collection by setting garbage collection speed to at least 500, 2) Enable stricter stanza size limits (256KB for c2s and 512KB for s2s), and 3) Enable rate limits through mod_limits configuration. These mitigations are all applied by default in Prosody 0.11.9. The recommended solution is to upgrade to version 0.11.9 or apply the configuration changes (OSS Security).

Multiple Linux distributions including Debian, Fedora, and Gentoo have released security updates to address this vulnerability. Debian released DSA-4916-1, Fedora issued updates for versions 32, 33, and 34, and Gentoo released GLSA 202105-15 (Debian Security, Gentoo Security).