I am running Openfire 4.3.2 in a Windows environment and my outside security team just flagged the server as a High Vulnerability risk because of Eclipse Jetty Server CVE 2017-7658 and Medium risk because of CVE-2018-12536. Is this something that is going to be resolved in the next version of Openfire and if yes is there an ETA as to when that will be ready? On the other hand if not I will have to start looking for an alternative to this software. Or the other possibility is that the way Openfire is written it may not actually be an issue, I am not entirely sure. Any feedback would be appreciated on this.
CVE 2017-7658 https://nvd.nist.gov/vuln/detail/CVE-2017-7658 is vague, it lists 9.4.x and not specific versions. Possibly at the time of posting this CVE all versions were affected, but it hasn’t been updated since the patches were released.
At least here:
https://securitytracker.com/id/1041194
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535669
it lists 9.4.11 as fixed version. Openfire 4.3.2 uses 9.4.12.
Same with https://nvd.nist.gov/vuln/detail/CVE-2018-12536
Fixed in 9.4.11
https://bugs.eclipse.org/bugs/show_bug.cgi?id=535670
https://securitytracker.com/id/1041194
Thank you for the information. I will bring this up with our security vendor and ask why they are flagging these for us.