We actually don’t have much usage of the admin console in our project.So we think that removal of admin-jsp.jar will provide a blanket protection against the vulnerability.We are worried that even though we take the steps listed as mitigations a motivated bad actor can still exploit the vulnerability.Please let us know your thoughts.
We have no indication that the mitigations leave a system vulnerable.
Your safest course of action is upgrading Openfire to a version that’s not affected. The second best option is to avoid any network interaction with the admin console.
If neither are possible, then applying the documented mitigations should suffice.
I do not know if your suggested solution works, and if it does, if it has side-effects. Given the multitude of alternatives that are already provided, I’m not eager to spend more time on investigating yet another alternative. If this particular fix, and its validation is important to you, then I invite you to seek support from a commercial provider. We list a number of them in our directory of professional partners: Ignite Realtime: Support - Professional Partners
Thanks for your feedback.will discuss with our team and get back if needed.
I wrote an update to this article.
TL;DR: This vulnerability is bad and abused in the wild. The information in the original security advisory is still up to date. Affected instances of Openfire should be updated as soon as possible.
1 Like