Hello! Our vulnerability scanner reports three problems on port 9090 of OpenFire server:
Web Directories Listable Vulnerability
Session Cookie Does Not Contain the “Secure” Attribute
HTTP Security Header Not Detected
Is there a solution for these issues?
OpenFire V4.7.5, Windows Server 2022, HSQL Database Engine 2.4.1, Java Version: 1.8.0_371 IBM Corporation – IBM J9 VM, Appserver: jetty/9.4.43.v20210629
Test 4.8.0 and see which of those are now fixed first?
Installing 4.8.0 would be a challenge for me, because it is delivered as part of our Contact Center.
I have inspected Changelog for 4.8.0 and didn’t find any mention of something similar to these issues. So I don’t expect much from the upgrade.
However, some known security problems (e.g. with TLS1.0 and TLS1.1) are easily fixed via configuration.