STARTTLS is an extension to plaintext communication protocols that offers a way to upgrade a plaintext connection to an encrypted (TLS or SSL) connection instead of using a separate port for encrypted communication. Some implementations of STARTTLS contain a vulnerability that could allow a remote unauthenticated attacker to inject commands during the plaintext protocol phase, that will be executed during the ciphertext protocol phase. This vulnerability is caused by the switch from plaintext to TLS being implemented below the application's I/O buffering layer. This issue is only of practical concern for affected implementations that also perform correct certificate validation. Implementations which do not perform certificate validation are already inherently vulnerable to man-in-the-middle attacks.



Note: Not all implementations of STARTTLS are affected by this vulnerability. Some implementations of Simple Authentication and Security Layer (SASL) could also be affected by this vulnerability. Please see the Vendor Information below for specific vendor information.