Openfire 4.6.7 has been released with only a single change to bump the bundled log4j library to version 2.17.1. Whilst we do not believe Openfire to be vulnerable to the CVEs associated with the log4j 2.17.0 and 2.17.1 releases, we realize that many folks are running naive security scanners that are simply checking for bundled jar versions.
1a8f1516a3d398b7701ec9a1c8b790a9ece8f3ea59265ccce4e769af5d485f26 openfire-4.6.7-1.i686.rpm 11972b17d60b828345b75fa049469085f22b9aa233082f8fb9bcac90ba0876a6 openfire-4.6.7-1.noarch.rpm d802fbd9b1a4011fe23c6338d77642cfbc813760d1f5c805bc5934881635edfb openfire-4.6.7-1.x86_64.rpm 4ab20cb022d5068c1dc0c7024350db4ac63b28a757e216e98ee6863d8ec7d253 openfire_4.6.7_all.deb 2157a17479acc12e6392ad10c2c61d38e478438a279c970a15313e1a49cce7ba openfire_4_6_7_bundledJRE.exe ac1e91d23742493a4d56f489e52f77ee5f1db138091600f84b406956e6b701ef openfire_4_6_7_bundledJRE_x64.exe baae9416e5979a7dc1c44dab156e540152baf3368e8afe838ee70a64dcaf2ca2 openfire_4_6_7.dmg b76b304dcbca084830d52da900051f837f605ce22411033fae68a00d28dc0c34 openfire_4_6_7.exe 6b2ba7c4976dbd36249269a453eb176d71a1e7f80575951cdd173d0ec4247056 openfire_4_6_7.tar.gz fec61e4a573faf634336e535c51112ab94c3f09388ea16948b8c6906ebbdf9ef openfire_4_6_7_x64.exe 1a92b45968719b7de00181d8dcfc5ef10e335b02deafcf7d6a5053a968ed0646 openfire_4_6_7.zip
At this point and due to limited community usage, we do not plan to create an additional
4.5 series release with this associated change. Please note that the
4.7.0-beta release of Openfire was made prior to all the security vulnerabilities associated with
log4j and is thus vulnerable. We hope to finalize a
4.7.0 release very soon, which will also bring log4j to version
2.17.1. Update: we needed a 4.5 release for a different issue. We pulled in the log4j update as we were releasing anyway.
Thanks for your usage and interest in Openfire!