The security issues/vulnerabilities in openfire-hazelcast-plugin:2.6.1

Hi Openfire dev team,

Firstly, thanks for you provide such good open-source tools for the world.

But, during we use it these days, we found the plugin ‘openfire-hazelcast-plugin:2.6.1’(Ignite Realtime: Openfire Plugins) uses very old lib ‘’. There are many vulnerabilities, such as:

  • [CVE-2022-36437]: The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection.
  • [CVE-2022-1471]: SnakeYaml’s Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution.
    (Filepath: /plugins/hazelcast.jar/lib/hazelcast-3.12.5.jar/META-INF/maven/org.snakeyaml/snakeyaml-engine/pom.xml)
  • [CVE-2017-18640]: The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
    (Filepath: /plugins/hazelcast.jar/lib/hazelcast-3.12.5.jar/META-INF/maven/org.snakeyaml/snakeyaml-engine/pom.xml)
  • [CVE-2022-25857]: The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
    (Filepath: /plugins/hazelcast.jar/lib/hazelcast-3.12.5.jar/META-INF/maven/org.snakeyaml/snakeyaml-engine/pom.xml)

I just want to know, do you have any plan to upgrade the dependency(hazelcast) from 3.12.5 to latest version(5.3.1) that doesn’t have any vulnerability?


你好,方便咨询你一些问题吗?我qq 785249446

We are tracking the effort to upgrade Hazelcast in the plugin in this ticket: Update to Hazelcast 5.0 · Issue #59 · igniterealtime/openfire-hazelcast-plugin · GitHub