CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS
Percentile
99.8%
An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community.
Openfireβs administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users.
Path traversal protections were already in place to protect against exactly this kind of attack, but didnβt defend against certain non-standard URL encoding for UTF-16 characters, that were not supported by the embedded webserver that was in use at the time.
A later upgrade of the embedded webserver included support for non-standard URL encoding of UTF-16 characters. The path traversal protections in place in Openfire were not updated to include protection against this new encoding.
Openfireβs API defines a mechanism for certain URLs to be excluded from web authentication (this, for example, is used for the login page). This mechanism allows for wildcards to be used, to allow for flexible URL pattern matching.
The combination of the wildcard pattern matching and path traversal vulnerability allows a malicious user to bypass authentication requirements for Admin Console pages.
This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0).
To test if an instance of Openfire is affected, follow these steps. Open a browser in incognito mode, or otherwise ensure that there is no authenticated session with the Openfire admin console. Open the following URL (possibly modified for the hostname of the server that is running Openfire):
http://localhost:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp
If this shows part of the openfire logfiles, then the instance of Openfire is affected by this vulnerability. Note that different versions of Openfire will show a different layout. Newer versions of Openfire can be expected to show log files on a dark background, while older versions will show a largely white page. (Depending on the content of the log file, this page might be empty, apart from a header!)
If thereβs a redirect to the login page, the instance is likely unaffected.
The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0).
adminConsole.access.allow-wildcards-in-excludes
) is introduced that controls the permissibility of using wildcards in URL-patterns that define exclusions to authentication.Be aware that the new configuration properties can interfere with the functionality of certain Openfire plugins. This is especially true for plugins that bind a (web)endpoint to the embedded webserver that serves the Openfire administrative console, like current versions of the REST API plugin do. For these plugins to remain functional and/or reachable, it might be required to toggle the property adminConsole.access.allow-wildcards-in-excludes
to true
, and to avoid binding the embedded webserver to the loopback network interface only.
When your server uses older versions of the following plugins, make sure to upgrade them:
If an Openfire upgrade isnβt available for your release, or isnβt quickly actionable, you can take any of the following steps to mitigate the risk for your Openfire environment.
Be aware: through Openfire plugins, the effectiveness of some mitigations listed below can be reduced, while other mitigations might affect the functionality of plugins. Particular care should be taken when using the Monitoring Service plugin, REST API plugin, User Service plugin and/or Random Avatar plugin.
Use network security measures (network ACLs and/or firewalls, VPNs) to ensure only trusted members of your community have access to the Openfire Admin Console. As a general rule, never expose the Openfire Admin Console to the general internet.
Examples:
ufw
, deny ports 9090 and 9091 on non-loopback interfacesdocker run ... -p 5222:5222 -p 9090:9090 -p 9091:9091 openfire
prevent remote access to the Admin Console with docker run ... -p 5222:5222 -p 127.0.0.1:9090:9090 -p 127.0.0.1:9091:9091 openfire
To close the avenue of potential attack, a runtime configuration file of Openfire can be modified.
In Openfireβs installation directory, find the file plugins/admin/webapp/WEB-INF/web.xml
. After creating a backup of this file, edit the original file.
The content of this file is XML. Find a <filter>
element, that contains the <filter-name>AuthCheck</filter-name>
child element. Depending on your version of Openfire, it will look similar to this:
<filter>
<filter-name>AuthCheck</filter-name>
<filter-class>org.jivesoftware.admin.AuthCheckFilter</filter-class>
<init-param>
<param-name>excludes</param-name>
<param-value>
login.jsp,index.jsp?logout=true,setup/index.jsp,setup/setup-*,.gif,.png,error-serverdown.jsp,loginToken.jsp
</param-value>
</init-param>
</filter>
The value inside of the param-value
element is a comma-separated list of values. From this list, remove all *
(asterisk) characters.
Save the file, and restart Openfire for the change to take effect.
Note that no guarantees can be given that this runtime configuration change persists over time. Ensure to monitor the presence of the fix. It is recommended to upgrade to a safe version of Openfire as soon as possible.
A side-effect of this change is that the Openfire web-based setup wizard will not function properly (functionality can be restored by reverting the change). This wizard is typically used only when initially installing Openfire.
The Openfire admin console is a web-based application. By default, the corresponding webserver (that is embedded in Openfire) binds to all network interfaces of the host that it is running on.
The admin console can be configured to bind to a specific network interface. This will prevent it from being accessed through other network interfaces. By configuring the admin console to bind to the local loopback interface, it is accessible only to users on the server itself. This reduces the avenue of attack.
Note that several Openfire plugins expose part or all of their functionality through the admin console webserver. The REST API plugin, for example, serves its endpoints via this webserver. Availability of this functionality will be affected by binding the webserver to a specific network interface.
To bind the webserver of the Openfire admin console to a specific network interface, the βopenfire.xmlβ configuration file can be used.
In Openfireβs installation directory, locate the file conf/openfire.xml
. After creating a backup of this file, edit the original file.
The content of this file is XML. Find the <adminConsole>
element that is a direct child element of the root <jive>
element. Add a new element, named <interface>
as a child element of <adminConsole>
. The value of the <interface>
element should be the name of the loopback interface or interface address. Setting value to 127.0.0.1
works on all tested environments (using values like lo
on most Linux systems or lo0
on macOS will have the same effect).
The resulting fragment of the openfire.xml
file will look similar to this:
<?xml version="1.0" encoding="UTF-8"?>
<jive>
<adminConsole>
<interface>127.0.0.1</interface>
<port>9090</port>
<securePort>9091</securePort>
</adminConsole>
...
Save the file, and restart Openfire for the change to take effect.
The Ignite Realtime community has made available a new plugin, called the AuthFilterSanitizer plugin. The plugin can be installed from the Openfire admin console, or can be downloaded from the pluginβs archive page on the IgniteRealtime.org community website.
This plugin periodically removes entries for Openfireβs authentication filter that are susceptible to abuse, closing the avenue of potential attack.
Note that this plugin might interfere with functionality that depends on the abuse-susceptible entries in the authentication filter that might be provided by plugins.
This issue was originally reported by Siebene@ who has our gratitude for the responsible and detailed disclosure of the issue!
We are grateful for the resources made available by Surevine ltd. They were instrumental in addressing the issue listed in this advisory.
packetstormsecurity.com/files/173607/Openfire-Authentication-Bypass-Remote-Code-Execution.html
github.com/igniterealtime/Openfire
github.com/igniterealtime/Openfire/commit/2ac00a1ff42f5d3547ef58e21f8cdec992bfcf97
github.com/igniterealtime/Openfire/commit/71f3def2adeaac62729cf544b645c6819c3d9868
github.com/igniterealtime/Openfire/commit/a3b5ebd5032ff7be9d3ada5bf52bea2df96ec881
github.com/igniterealtime/Openfire/releases/tag/v4.6.8
github.com/igniterealtime/Openfire/releases/tag/v4.7.5
github.com/igniterealtime/Openfire/security/advisories/GHSA-gw42-f939-fhvm
igniterealtime.atlassian.net/browse/OF-2595
nvd.nist.gov/vuln/detail/CVE-2023-32315
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
EPSS
Percentile
99.8%