logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

CVE-2023-32315 org.igniterealtime.openfire:xmppserver

Package

Manager: maven
Name: org.igniterealtime.openfire:xmppserver
Vulnerable Version: >=3.10.0 <4.6.8 || >=4.7.0 <4.7.5

Severity

Level: High

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

EPSS: 0.94432 pctl0.99984

Details

Administration Console authentication bypass in openfire xmppserver An important security issue affects a range of versions of Openfire, the cross-platform real-time collaboration server based on the XMPP protocol that is created by the Ignite Realtime community. ### Impact Openfire's administrative console (the Admin Console), a web-based application, was found to be vulnerable to a path traversal attack via the setup environment. This permitted an unauthenticated user to use the unauthenticated Openfire Setup Environment in an already configured Openfire environment to access restricted pages in the Openfire Admin Console reserved for administrative users. ### Cause Path traversal protections were already in place to protect against exactly this kind of attack, but didn’t defend against certain non-standard URL encoding for UTF-16 characters, that were not supported by the embedded webserver that was in use at the time. A later upgrade of the embedded webserver included support for non-standard URL encoding of UTF-16 characters. The path traversal protections in place in Openfire were not updated to include protection against this new encoding. Openfire's API defines a mechanism for certain URLs to be excluded from web authentication (this, for example, is used for the login page). This mechanism allows for wildcards to be used, to allow for flexible URL pattern matching. The combination of the wildcard pattern matching and path traversal vulnerability allows a malicious user to bypass authentication requirements for Admin Console pages. ### Affected versions This vulnerability affects all versions of Openfire that have been released since April 2015, starting with version 3.10.0. The problem has been patched in Openfire release 4.7.5 and 4.6.8, and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). ### Problem Reproduction To test if an instance of Openfire is affected, follow these steps. Open a browser in incognito mode, or otherwise ensure that there is no authenticated session with the Openfire admin console. Open the following URL (possibly modified for the hostname of the server that is running Openfire): ```http://localhost:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp``` If this shows part of the openfire logfiles, then the instance of Openfire is affected by this vulnerability. Note that different versions of Openfire will show a different layout. Newer versions of Openfire can be expected to show log files on a dark background, while older versions will show a largely white page. (Depending on the content of the log file, this page might be empty, apart from a header!) If there's a redirect to the login page, the instance is likely unaffected. ### Problem Resolution The problem has been patched in [Openfire release 4.7.5 and 4.6.8](https://www.igniterealtime.org/downloads/#openfire), and further improvements will be included in the yet-to-be released first version on the 4.8 branch (which is expected to be version 4.8.0). - In Openfire 4.6.8, 4.7.5 and 4.8.0, Path Traversal pattern detection has been improved to include detection of non-standard URL encodings, preventing any non UTF-8 characters. - In Openfire 4.6.8, 4.7.5 and 4.8.0, a new configuration property (`adminConsole.access.allow-wildcards-in-excludes`) is introduced that controls the permissibility of using wildcards in URL-patterns that define exclusions to authentication. - In Openfire 4.6.8, 4.7.5 and 4.8.0, the existing value that uses a wildcard in URL-patterns that define exclusions to authentication has been replaced by values that do not depend on a wildcard. - In Openfire 4.6.8, 4.7.5 and 4.8.0, Setup-specific URL-patterns that define exclusions to authentication are no longer active after the setup process has finished. - In Openfire 4.8.0, the embedded webserver will be updated to a version that no longer supports the non-standard URL encoding of UTF-16 characters. - In Openfire 4.8.0, the embedded webserver that serves the Openfire administrative console will bind to the loopback network interface by default. Be aware that the new configuration properties can interfere with the functionality of certain Openfire plugins. This is especially true for plugins that bind a (web)endpoint to the embedded webserver that serves the Openfire administrative console, like current versions of the REST API plugin do. For these plugins to remain functional and/or reachable, it might be required to toggle the property `adminConsole.access.allow-wildcards-in-excludes` to `true`, and to avoid binding the embedded webserver to the loopback network interface only. When your server uses older versions of the following plugins, make sure to upgrade them: - [Random Avatar plugin](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=randomavatar), update to version 1.1.0 or later. - [Monitoring Service plugin](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=monitoring), update to version 2.5.0 or later. - [HTTP File Upload plugin](https://www.igniterealtime.org/projects/openfire/plugin-archive.jsp?plugin=httpfileupload), update to version 1.3.0 or later. ### Mitigation If an Openfire upgrade isn’t available for your release, or isn’t quickly actionable, you can take any of the following steps to mitigate the risk for your Openfire environment. Be aware: through Openfire plugins, the effectiveness of some mitigations listed below can be reduced, while other mitigations might affect the functionality of plugins. Particular care should be taken when using the Monitoring Service plugin, REST API plugin, User Service plugin and/or Random Avatar plugin. #### Restrict network access Use network security measures (network ACLs and/or firewalls, VPNs) to ensure only trusted members of your community have access to the Openfire Admin Console. As a general rule, never expose the Openfire Admin Console to the general internet. Examples: * On a linux machine running `ufw`, deny ports 9090 and 9091 on non-loopback interfaces * On a Windows machine, restrict the rules that open ports 9090 and 9091 to only allow traffic from the IPv4 and/or IPv6 loopback addresses * On AWS cloud infrastructure, use EC2 Security Groups to restrict ports 9090 and 9091 to trusted IP addresses. If the trusted range is necessarily too broad, consider opening and closing the ports only as necessary * If using Docker, instead of `docker run ... -p 5222:5222 -p 9090:9090 -p 9091:9091 openfire` prevent remote access to the Admin Console with `docker run ... -p 5222:5222 -p 127.0.0.1:9090:9090 -p 127.0.0.1:9091:9091 openfire` #### Modify runtime configuration file To close the avenue of potential attack, a runtime configuration file of Openfire can be modified. In Openfire's installation directory, find the file `plugins/admin/webapp/WEB-INF/web.xml`. After creating a backup of

Metadata

Created: 2023-05-23T19:54:30Z
Modified: 2023-07-20T18:57:26Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-gw42-f939-fhvm/GHSA-gw42-f939-fhvm.json
CWE IDs: ["CWE-22"]
Alternative ID: GHSA-gw42-f939-fhvm
Finding: F063
Auto approve: 1