We’ve had an important security issue reported that affects all recent versions of Openfire. We’ve fixed it in the newly published 4.6.8 and 4.7.5 releases. We recommend people upgrade as soon as possible. More info, including mitigations for those who cannot upgrade quickly, is available in this security advisory: CVE-2023-32315: Administration Console authentication bypass.
Related to this issue, we have also made available updates to three of our plugins:
- Random Avatar plugin version 1.1.0.
- Monitoring Service plugin version 2.5.0.
- HTTP File Upload plugin version 1.3.0.
If you’re using these plugins, it is recommended to update them immediately.
When you are using the REST API plugin, or any proprietary plugins, updating Openfire might affect availability of their functionality. Please find work-arounds in the security advisory.
If you have any questions, please stop by our community forum or our live groupchat.
For other release announcements and news follow us on Twitter and Mastodon.