Any insight how to mitigate this issue on older servers? Reportedly, Openfire 3.9.2 resolves this issue, but it doesn’t appear to be downloadable to the public.
It’s also reportedly recommended to disable XMPP Compression. I found the xmpp.client.compression.policy setting (http://community.igniterealtime.org/docs/DOC-1061), but I don’t know if this is a solution or not. It’s not a property by default in our System Properties, and I figured I’d ask before tinkering.
This commit is in reference to this CVE http://fisheye.igniterealtime.org/changelog/openfiregit?cs=3aec383e07ee893b77396 fe946766bbd3758af77
Unsure when we’ll get a new release pushed out.
You can either open
Server / Server Manager / System Properties and set there:
‘xmpp.client.compression.policy’ = ‘disabled’
‘xmpp.server.compression.policy’ = ‘disabled’
Or use the more easy way:
Server / Server Settings / Compression Settings
Client Compression Policy
[x] Not Available - Clients will not receive the option to use compressed traffic.
Openfire 3.9.2 is indeed not yet available.
OF-770 created to tie up the loose end on this