How to mitigate CVE-2021-45105 until Openfire 4.6.7 releases


Have been keeping up with the log4j events, and there’s now a 3rd known vulnerability via CVE-2021-45105; Doesn’t seem to be an OpenFire fix yet (though I’m sure that’s coming).

In the meantime, apache has a new download here; I’m running 4.6.6 on Windows Server 2019 and I can see in \…\openfire\lib there are 4 files:

  • log4j2.xml
  • log4j-api-2.16.0.jar
  • log4j-core-2.16.0.jar
  • log4j-slf4j-impl-2.16.0.jar

I can find the 2.17.0 replacements for the latter 3 files in Apache’s download; is it simply a matter of stopping the service, replacing those files and restarting or do we need to wait for a 4.6.7 installer? Figure there could be a number of other references that need changing / updating as well, but between now and a 4.6.7 release; was hoping someone could confirm or not…

As I understand CVE-2021-45105, it’s applicable only to systems that have a specific log4j configuration. Openfire does not have that configuration. I therefor believe that it is not vulnerable to this problem.

The upgrade to log4j 2.17.0 (or later) will be part of the upcoming Openfire 4.7.0 release. We are tracking this as issue [OF-2355] Update Log4j to 2.17.0 - Ignite Realtime Jira

Your suggested workaround might work. I’m not immediately see a reason why it wouldn’t. You’re obviously voiding any warranty by manually changing libraries. :wink:

Yeah, figured 4.7.0 would use 2.17.0, wasn’t sure of its release date or if they’d put put a quick 4.6.7 with the library update.

Not sure what warranty I’d be voiding? if by that you mean for the Enterprise people that have a paid contract, yeah we’re just using the free version.

Any thoughts on a 4.7.0 release date?

There is no Enterprise edition of Openfire. My ‘warranty’ remark was somewhat tongue-in-cheek.

I’m expecting 4.7.0 to land pretty soon - somewhere around the turn of the year, I think.