Security Issue: Uncontrolled Resource Consumption with XMPP-Layer Compression

http://xmpp.org/resources/security-notices/uncontrolled-resource-consumption-wit h-highly-compressed-xmpp-stanzas/

Any insight how to mitigate this issue on older servers? Reportedly, Openfire 3.9.2 resolves this issue, but it doesn’t appear to be downloadable to the public.

It’s also reportedly recommended to disable XMPP Compression. I found the xmpp.client.compression.policy setting (http://community.igniterealtime.org/docs/DOC-1061), but I don’t know if this is a solution or not. It’s not a property by default in our System Properties, and I figured I’d ask before tinkering.

Thank you,

Justin

This commit is in reference to this CVE http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396 fe946766bbd3758af77

Unsure when we’ll get a new release pushed out.

You can either open

Server / Server Manager / System Properties and set there:

‘xmpp.client.compression.policy’ = ‘disabled’

‘xmpp.server.compression.policy’ = ‘disabled’

Or use the more easy way:

Server / Server Settings / Compression Settings

Client Compression Policy

[x] Not Available - Clients will not receive the option to use compressed traffic.

Openfire 3.9.2 is indeed not yet available.

Thank you both!

-Justin

OF-770 created to tie up the loose end on this