Openfire 4.6.7 released (Log4j 2.17.1 only change)

Openfire 4.6.7 has been released with only a single change to bump the bundled log4j library to version 2.17.1. Whilst we do not believe Openfire to be vulnerable to the CVEs associated with the log4j 2.17.0 and 2.17.1 releases, we realize that many folks are running naive security scanners that are simply checking for bundled jar versions.

The changelog denotes the one Jira issue closed by this release. You can find Openfire build artifacts available for download here and they have the following sha256sum values

1a8f1516a3d398b7701ec9a1c8b790a9ece8f3ea59265ccce4e769af5d485f26  openfire-4.6.7-1.i686.rpm
11972b17d60b828345b75fa049469085f22b9aa233082f8fb9bcac90ba0876a6  openfire-4.6.7-1.noarch.rpm
d802fbd9b1a4011fe23c6338d77642cfbc813760d1f5c805bc5934881635edfb  openfire-4.6.7-1.x86_64.rpm
4ab20cb022d5068c1dc0c7024350db4ac63b28a757e216e98ee6863d8ec7d253  openfire_4.6.7_all.deb
2157a17479acc12e6392ad10c2c61d38e478438a279c970a15313e1a49cce7ba  openfire_4_6_7_bundledJRE.exe
ac1e91d23742493a4d56f489e52f77ee5f1db138091600f84b406956e6b701ef  openfire_4_6_7_bundledJRE_x64.exe
baae9416e5979a7dc1c44dab156e540152baf3368e8afe838ee70a64dcaf2ca2  openfire_4_6_7.dmg
b76b304dcbca084830d52da900051f837f605ce22411033fae68a00d28dc0c34  openfire_4_6_7.exe
6b2ba7c4976dbd36249269a453eb176d71a1e7f80575951cdd173d0ec4247056  openfire_4_6_7.tar.gz
fec61e4a573faf634336e535c51112ab94c3f09388ea16948b8c6906ebbdf9ef  openfire_4_6_7_x64.exe
1a92b45968719b7de00181d8dcfc5ef10e335b02deafcf7d6a5053a968ed0646  openfire_4_6_7.zip

At this point and due to limited community usage, we do not plan to create an additional 4.5 series release with this associated change. Please note that the 4.7.0-beta release of Openfire was made prior to all the security vulnerabilities associated with log4j and is thus vulnerable. We hope to finalize a 4.7.0 release very soon, which will also bring log4j to version 2.17.1. Update: we needed a 4.5 release for a different issue. We pulled in the log4j update as we were releasing anyway.

Thanks for your usage and interest in Openfire!

For other release announcements and news follow us on Twitter

4 Likes

Attention!!

With this version 4.6.x, it was not updated:

And 4.5.x has not too:

@Neustradamus, please stop crying wolf. You are needlessly alarming people. I have explained to you multiple times why we choose to not update certain libraries at this point.

Certain CVEs, even if they’re reported for the library, do not apply to Openfire (since it’s not using that specific functionality from the library), or have a vulnerability that is of low risk as compared to functional bugs known to exist in these older versions of Openfire.

Updating such a library in Openfire would introduce a risk (of changing/broken behavior), without much benefit. For these libraries, we explicitly choose to not update them in Openfire in these releases. We might include them in future releases, but only if we feel that the benefits outweigh the risks.

1 Like

The openfire version in my local is around 3.8.0, and the log4j version is 1.x. Now I would like to upgrade my log4j version to 2.17.1 what the steps I need to follow in order to achieve this, please help me on this

First, make sure that you have a backup of everything, so that you can roll back in case something unexpected happens. Generally, Openfire updates work without a flaw, but it’s better to be safe than sorry. Also, you’re upgrading from a very old version, so precautions are in order. The upgrade process is documented in Openfire: Upgrade Guide. Basically, you simply install the new version of Openfire on top of the old one.