Oracle Linux: CVE-2021-33515: ELSA-2022-1950: dovecot security update (MODERATE) (Multiple Advisories)
Description
The submission service in Dovecot before 2.3.15 allows STARTTLS command injection in lib-smtp. Sensitive information can be redirected to an attacker-controlled address. It was found that dovecot could still accept plaintext commands while the STARTTLS negotiation process is ongoing. This could allow an active person in the middle, with valid credentials on dovecot, to, for example, steal confidential data such as the client's emails and passwords.
Solution(s)
- oracle-linux-upgrade-dovecot
- oracle-linux-upgrade-dovecot-devel
- oracle-linux-upgrade-dovecot-mysql
- oracle-linux-upgrade-dovecot-pgsql
- oracle-linux-upgrade-dovecot-pigeonhole
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center