powered by Jive Software

Vulnerability scan result on Openfire

In vulnerability scan result of openfire v4.6.0, find 3 issues.

  1. Password Hardcoded
    \xmppserver\src\test\java\org\jivesoftware\openfire\auth\JDBCAuthProviderTest.java , line 10
    \xmppserver\src\test\java\org\jivesoftware\openfire\auth\JDBCAuthProviderTest.java , line 11
    \xmppserver\src\test\java\org\jivesoftware\openfire\auth\JDBCAuthProviderTest.java , line 14
    \xmppserver\src\test\java\org\jivesoftware\openfire\auth\JDBCAuthProviderTest.java , line 15
    \xmppserver\src\test\java\org\jivesoftware\openfire\keystore\OpenfireX509TrustManagerTest.java , line 47

Q>> Would like to confirm those hardcoded passwords are for test purpose. They are no actual use in any authentication.

  1. Weak Cryptographic Hash
    /xmppserver/src/main/java/org/jivesoftware/openfire/auth/AuthFactory.java, line 65
    /xmppserver/src/main/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java, line 288
    /xmppserver/src/main/java/org/jivesoftware/openfire/auth/DefaultAuthProvider.java, line 333
    /xmppserver/src/main/java/org/jivesoftware/openfire/auth/JDBCAuthProvider.java, line 281
    /xmppserver/src/main/java/org/jivesoftware/openfire/sasl/ScramSha1SaslServer.java, line 202
    /xmppserver/src/main/java/org/jivesoftware/util/Blowfish.java, line 1509

Q>> Will there be any change to use stronger crypto algorithms other than MD4, MD5, SHA-1 in later version?

  1. Command Injection
    /starter/src/main/java/org/jivesoftware/openfire/launcher/Launcher.java, line 451
    /starter/src/main/java/org/jivesoftware/openfire/launcher/Launcher.java, line 438
    /starter/src/main/java/org/jivesoftware/openfire/launcher/Launcher.java, line 441

Q>> Will there be any code improvement on this issue in later version?

On the first point, yes. Those are tests.

On the second point, the presence of stronger encryption won’t remove those scan results. You’d have to remove the weaker encryption methods, which would preclude older clients. That’s not planned.

On the third point, that’s the launcher, so relatively low risk (i.e. not used after the first seconds of operation) and it’s expected to act directly on user input. What’s the actual problem the scanner is reporting?

Further, I’d suggest doing your scans against Openfire 4.7.4, the current release. Any changes made won’t be backported to the 4.6 branch.