powered by Jive Software

XMPP Cleartext authentication detected as security issue


#1

Our Tenable scans have detected “XMPP Cleartext authentication” on my Openfire server (version 4.2.3) which is slated to replace my current Openfire v3.10.2 server soon. When it was detected on my current/old server, I was able to mitigate it by adding/editing the sasl.mechs server property to read: CRAM-MD5,DIGEST-MD5,ANONYMOUS,JIVE-SHAREDSECRET,GSSAPI,EXTERNAL. (removing PLAIN from the list) But when I try the same on my new/upcoming server, Spark fails to connect. But when I remove the sasl.mechs property, Spark connects fine. Unfortunately, I cannot remember if changing the sasl.mechs was the only thing I’d done or if I am missing additional steps. Any insights? Has anyone else had to deal with mitigating this issue?

Thanks!


#2

You may try with 4.3.0 version as it is the latest release currently. Also, what version of Spark? @speedy used to play with sasl.mechs properties, maybe he will have something to add.


#3

the setting on this has changed a bit in the more current release. the properties has changed, but the sasl mechs can be changed via the gui. I have nessus at work, so I can try and confirm some of this on Tuesday if needed.


#4

Thanks for getting back to me. Yes, I was using Spark 2.8.3 to connect. Upgrade to Openfire 4.3.0 ? I hadn’t realized that it came out of beta yet.


#5

That would be of great help. Thanks!