Have been keeping up with the log4j events, and there’s now a 3rd known vulnerability via CVE-2021-45105; Doesn’t seem to be an OpenFire fix yet (though I’m sure that’s coming).
In the meantime, apache has a new download here; I’m running 4.6.6 on Windows Server 2019 and I can see in \…\openfire\lib there are 4 files:
log4j2.xml
log4j-api-2.16.0.jar
log4j-core-2.16.0.jar
log4j-slf4j-impl-2.16.0.jar
I can find the 2.17.0 replacements for the latter 3 files in Apache’s download; is it simply a matter of stopping the service, replacing those files and restarting or do we need to wait for a 4.6.7 installer? Figure there could be a number of other references that need changing / updating as well, but between now and a 4.6.7 release; was hoping someone could confirm or not…
As I understand CVE-2021-45105, it’s applicable only to systems that have a specific log4j configuration. Openfire does not have that configuration. I therefor believe that it is not vulnerable to this problem.
Your suggested workaround might work. I’m not immediately see a reason why it wouldn’t. You’re obviously voiding any warranty by manually changing libraries.
Yeah, figured 4.7.0 would use 2.17.0, wasn’t sure of its release date or if they’d put put a quick 4.6.7 with the library update.
Not sure what warranty I’d be voiding? if by that you mean for the Enterprise people that have a paid contract, yeah we’re just using the free version.
