CVE-2023-32315: Ignite RealTime Openfire XMPP Server < v4.7.5 – Unauthorised Access to Administrative Console via Path Traversal Vulnerability in Setup Environment

Openfire is an XMPP server licensed under the Open Source Apache License. Extensible Messaging and Presence Protocol (XMPP, originally named Jabber) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), it enables the near-real-time exchange of structured data between two or more network entities.

Background & Context

Openfire is an XMPP server licensed under the Open Source Apache License. Extensible Messaging and Presence Protocol (XMPP, originally named Jabber) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), it enables the near-real-time exchange of structured data between two or more network entities.

 

Vulnerability Summary

Openfire’s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. An earlier upgrade of the embedded webserver included support for non-standard URL encoding of UTF-16 characters, but path traversal protections in place in Openfire were not updated to include protection against this new encoding.

The combination of the wildcard pattern matching and path traversal vulnerability allows a malicious user to bypass authentication requirements for Admin Console pages.

 

Impact If Exploited

Successful exploit permits an unauthenticated attacker to access the Openfire Setup Environment in an Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.

 

Affected Product Versions

All versions of Openfire that have been released since April 2015, starting with version 3.10.0.

 

Remediation

Official Fix & Remediation Guidance

Customers are advised to upgrade to the latest version of Openfire. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. Downloads are available via Ignite’s downloads page, at https://www.igniterealtime.org/downloads/#openfire.

NOTE: Be aware that the new configuration properties can interfere with the functionality of certain Openfire plugins. This is especially true for plugins that bind a (web)endpoint to the embedded webserver that serves the Openfire administrative console, like current versions of the REST API plugin do. For these plugins to remain functional and/or reachable, it might be required to toggle the property adminConsole.access.allow-wildcards-in-excludes to true, and to avoid binding the embedded webserver to the loopback network interface only.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

Temporary Mitigation & Workarounds

If an Openfire upgrade isn’t available for your release, or isn’t quickly actionable, then it is possible to mitigate the risk for your Openfire environment by applying one of the mitigations listed by the vendor at https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

References

Category: Path Traversal

 

Detection

AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch