Have been keeping up with the log4j events, and there’s now a 3rd known vulnerability via CVE-2021-45105; Doesn’t seem to be an OpenFire fix yet (though I’m sure that’s coming).
In the meantime, apache has a new download here; I’m running 4.6.6 on Windows Server 2019 and I can see in \…\openfire\lib there are 4 files:
I can find the 2.17.0 replacements for the latter 3 files in Apache’s download; is it simply a matter of stopping the service, replacing those files and restarting or do we need to wait for a 4.6.7 installer? Figure there could be a number of other references that need changing / updating as well, but between now and a 4.6.7 release; was hoping someone could confirm or not…
As I understand CVE-2021-45105, it’s applicable only to systems that have a specific log4j configuration. Openfire does not have that configuration. I therefor believe that it is not vulnerable to this problem.