Andreas Kurtz has published a security advisory regarding multiple critical security vulnerabilities in Openfire‘s admin console. There is also a posting to full-disclosure.
The issues allow a remote attacker to circumvent authentication and run arbitray code with the permissions of the user running Openfire. It affacts all versions up to and including 3.6.0a.
Andreas claims to have notified the vendor Jive Software six months ago. Up to now no security advisory has been issued by Jive and no patch has been published. I am really interested to hear Jive’s version of this story. If it is true that Jive was aware of the issues for so long and no action has been taken to inform the community or to fix the problem this will probably result in a loss of trust in Openfire’s development model.
For now the only solution is to limit access to the admin console by firewall rules. With regard to security issues in the admin console in the past this is recommended anyway. The XMPP interface is not accected by the vulnerabilities discovered by Andreas.
Packt has released a new book on Openfire a Java based Instant Messaging server. Openfire Administration by Mayank Sharma is a step-by-step guide for everybody who wants to setup an internal IM server for private or corporate use. It walks you through the whole installation and configuration process including integration with external authentication sources like OpenLDAP and Active Directory and covers a bunch of useful plugins.
In contrast to other similar products Openfire is based on open standards as it uses the same XMPP protocol that is also used by Google Talk and Apple’s iChat. Openfire is available under the GNU General Public License so there are no license fees and it’s maintained by a vibrant community. There are a lot of free and commercial clients that you can use to connect to Openfire like Spark and the Flash based SparkWeb, Psi, iChat and many more.
Additional free plugins are available that cover a wide range of requirements like connection to other IM networks like MSN, ICQ/AIM and Yahoo!, server side archiving for compliance and integration with the Asterisk PBX.
If you are new to running IM infrastructure and interested in setting up a proven enterprise ready solution Mayank’s book is for you and will provide you with the information required to install and run a professional IM solution.
The enterprise edition of the popular Java-based XMPP server Openfire is becoming Open Source. This also includes the Flex-based IM client Sparkweb.
As Matt points out the the clustering functionality in the enterprise edition will not be made Open Source: “Part of the reason for this is that it uses a third-party commercial library for clustering.”
Nevertheless, due to the moduluar design of Openfire, the use of Coherence can quite easily be substituted by a free alternative like Terracotta.
This is really great news. Thanks to Jive for their commitment to the community.
Dombiak Gaston has followed up with a roadmap describing the two phases of the transition. The first phase with the majority of features is scheduled be finished by April, 27th.
More than 30 new features and more than 30 bugs were fixed. Personal Eventing via Pubsub was added so you can now publish your geo-location, music you are listening to and let subscribers be alerted. From the admin console you can manage users roster. Moreover, it is now possible to retrieve photos from LDAP and use them as users avatars. The complete set of changes can be found here. Openfire 3.4.1 is available for download from ignite realtime.
The new version includes a few incompatible changes to the API so I have released new versions of the plugins that I maintain:
Use the plugin if you need easy access to the data from other applications or scripts that can access your Openfire database.
The plugin automatically saves the last status (presence, IP address, logon and logoff time) per user and resource to userStatus table in the Openfire database.
Optionally you can archive user status entries (IP address, logon and logoff time) for a specified time. History entries are stored in the userStatusHistory table. The settings for history archiving can be configured on the “User Status Settings” page that you’ll find on the “Server” tab of the Openfire Admin Console.
Development of the plugin has been sponsored by Restomax. It is available under GPL for download.
Note: Rename the plugin to user-status.jar before deploying it to the plugin folder of Openfire.
Open Archive is a XEP-0136 compliant server side message archive for Openfire.
It is available as a plugin from here.
Currently it supports automated message archiving and message retrieval through XEP-0136 compliant Jabber clients and a web UI for the administrator. Support for manual archiving and preferences is planned for future releases.
Version 1.0.1 requires either MySQL or the embedded HSQLDB, support for other databases might be added at a later point.
To install the plugin just rename the jar to archive.jar, place it into the plugins folder of your Openfire server and enable it in the Openfire console at Server Settings/Archive Settings.
Ignite Realtime has released Openfire 3.3.1 which fixes a critical security issue in all versions prior to 3.3.1. I had reported the issue last week, so thanks to the Openfire guys for the quick fix.
The security issue allows malicious people to remotely upload code to Openfire via the built-in admin console. The code is executed with the permissions of the user running Openfire. It is highly recommended that users upgrade their server instances to fix this security issue.
As a workaround access to the admin console port (9090 by default) can be limited via firewall rules.
I’ve build a small Maven plugin to build Openfire Plugins. It’s a mix of the maven-war-plugin and the Jetty JSPC plugin. Usage is quite simple, just add the plugin to your POM and set packaging to “openfire-plugin”.