This hardcoded cookie was a security risk since anyone could access ejabberd from the cloudCNM server. The cookie was hardcoded in the Erlang code of the ejabberd server. Problem with the Erlang code of ejabberd server can be found in both versions of ejabberd server.

The first version of ejabberd server is ejabberd v18.1.1 and the second version of ejabberd server is ejabberd v18.5.5. Xmx value in Erlang code of ejabberd server is hardcoded to 1MB which is a big issue. The issue is that Xmx value is hardcoded to 1MB, which is a big issue. A bigger issue is that Xmx value is hardcoded to 1MB and Xms value is also hardcoded to 256MB which makes a 1:256 ratio in memory. This makes a big issue in Erlang code of ejabberd server because ejabberd server uses Erlang term unsafe.

How To Fix The Issue?

Check The Version Of Erlang And Ejabberd Server

Before fixing the issue in ejabberd server, you need to check the version of Erlang and ejabberd server. You also need to know if it is a production environment. The more information you have about your sever, the better your fix will be.

Erlang Solutions For The Issue

One way to fix the issue is to change the Xmx value in Erlang code of ejabberd server. Another solution is to use OTP’s ejabberd-server.

Ejabberd-Server is an Erlang/OTP application that allows you to run a full or subset of ejabberd locally on your computer. It provides most of the same features as the regular ejabberd server and also includes a web interface for monitoring status and statistics.

To fix the issue, we have to make sure that Erlang term unsafe is used only in the Erlang code and not in any other places of the program.

ejabberd Server v18.1.1 is Fixed

1. Make sure your Xms value is not set to 256MB because you can't have a 1:256 ratio in memory with ejabberd server v18.1.1.
2. Set your Xmx value to less than the highest allowed value, which is 16384 MB in this case and make sure it's a multiple of 256 MB, which means the total size should be 128 MB + 128 MB = 256 MB.
3. Make sure your Erlang code of ejabberd server is fixed by switching from unsafe to safe operations for erlang term set_max_camel_bumpers_in_memory/3 as per https://github.com/ejabberd-contrib/ejabberd/blob/master/contrib/clients-pcmanfm2-plugin/src/libs/erl_xmmserver.erl#L959
4. Set your Erlang code of ejabberd server to use the new function from https://github.com/ejabberd-contrib/ejabberd-server-component/blob/master/.gitignore#L8
5. Remove all references to Erlang term unsafe
6. Remove all hardcoded values such as Xmx and Xms and put into functions that are being called instead of constants

Timeline

Published on: 09/29/2022 03:15:00 UTC
Last modified on: 09/29/2022 17:15:00 UTC

References