Versions of RT between 4.2.0 and 4.2.2 (inclusive) are vulnerable to adenial-of-service attack via the email gateway; any installation which accepts mail from untrusted sources is vulnerable, regardless of the permissions configuration inside RT. This vulnerability is assigned CVE-2014-1474.

This vulnerability is caused by poor parsing performance in the Email::Address::List module, which RT depends on. We recommend that affected users upgrade their version of Email::Address::List to v0.02 or above, which resolves the issue.

After extracting the contents, the module can be installed by running:

perl Makefile.PL
make
make install

The first step should be sure to use the same perl that RT runs using. If you are unsure, the first line of /opt/rt4/sbin/standalone_httpd should contain the full path to the relevant perl binary. The last step will likely need to be run with root permissions. After this process, you should restart your webserver.

If you need help resolving this issue locally, we will provide discounted pricing for single-incident support; please contact us at sales@bestpractical.com for more information.