Openfire is an XMPP server licensed under the Open Source Apache License. Extensible Messaging and Presence Protocol (XMPP, originally named Jabber) is an open communication protocol designed for instant messaging (IM), presence information, and contact list maintenance. Based on XML (Extensible Markup Language), it enables the near-real-time exchange of structured data between two or more network entities.
Openfire’s administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. An earlier upgrade of the embedded webserver included support for non-standard URL encoding of UTF-16 characters, but path traversal protections in place in Openfire were not updated to include protection against this new encoding.
The combination of the wildcard pattern matching and path traversal vulnerability allows a malicious user to bypass authentication requirements for Admin Console pages.
Successful exploit permits an unauthenticated attacker to access the Openfire Setup Environment in an Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.
All versions of Openfire that have been released since April 2015, starting with version 3.10.0.
Customers are advised to upgrade to the latest version of Openfire. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). Users are advised to upgrade. Downloads are available via Ignite’s downloads page, at [[https://www.igniterealtime.org/downloads/#openfire]].
NOTE: Be aware that the new configuration properties can interfere with the functionality of certain Openfire plugins. This is especially true for plugins that bind a (web)endpoint to the embedded webserver that serves the Openfire administrative console, like current versions of the REST API plugin do. For these plugins to remain functional and/or reachable, it might be required to toggle the property [[code:adminConsole.access.allow-wildcards-in-excludes]] to true, and to avoid binding the embedded webserver to the loopback network interface only.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
If an Openfire upgrade isn’t available for your release, or isn’t quickly actionable, then it is possible to mitigate the risk for your Openfire environment by applying one of the mitigations listed by the vendor at [[https://github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm]]
NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.
References * [[http://packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html]]
Category: Path Traversal
AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380