Hi Openfire dev team,
Firstly, thanks for you provide such good open-source tools for the world.
But, during we use it these days, we found the plugin ‘openfire-hazelcast-plugin:2.6.1’(Ignite Realtime: Openfire Plugins) uses very old lib ‘https://mvnrepository.com/artifact/com.hazelcast/hazelcast/3.12.5’. There are many vulnerabilities, such as:
- [CVE-2022-36437]: The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection.
- [CVE-2022-1471]: SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution.
(Filepath: /plugins/hazelcast.jar/lib/hazelcast-3.12.5.jar/META-INF/maven/org.snakeyaml/snakeyaml-engine/pom.xml) - [CVE-2017-18640]: The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
(Filepath: /plugins/hazelcast.jar/lib/hazelcast-3.12.5.jar/META-INF/maven/org.snakeyaml/snakeyaml-engine/pom.xml) - [CVE-2022-25857]: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
(Filepath: /plugins/hazelcast.jar/lib/hazelcast-3.12.5.jar/META-INF/maven/org.snakeyaml/snakeyaml-engine/pom.xml)
I just want to know, do you have any plan to upgrade the dependency(hazelcast) from 3.12.5 to latest version(5.3.1) that doesn’t have any vulnerability?
Thanks,
John