In May 2023 a vulnerability in Openfire (CVE-2023-32315) was responsibly reported to the Openfire community by a security researcher (username Siebene), and handled by the Openfire community using a responsible disclosure process. This vulnerability allowed a malicious attacker to bypass administration controls of an Openfire server. Surevine actively contributed to developing the bugfix with the Openfire community and worked with them to develop a number of mitigations to existing systems for Openfire users who were not able to immediately track the upgrade.

On 23rd May 2023 a public announcement in the Openfire community released Openfire 4.7.5 along with a statement regarding the vulnerability; the security advisory is published here.

On 16th June 2023, the Openfire community became aware that this vulnerability had been exploited in unpatched installations ‘in the wild’ i.e. on production systems which are operated and maintained by users of Openfire. The earliest known date of exploitation was identified as 9th June 2023. The malicious actor used the vulnerability to create new admin console user accounts, which were then used to install a malicious Openfire plugin called ‘Product’. This plugin contains a remote web shell endpoint, which would allow an attacker to execute arbitrary commands and access any data on the server.

To attempt to give ‘credit’ to this plugin the malicious actor has set the author field to ‘Surevine’. Given that we, Surevine, have been involved in and an active member of the Openfire community for many years (we talk about our early involvement here and our involvement in this space today here) and were involved with remediation of the original vulnerability, this is likely to deceive a system owner into believing that the plugin is legitimate.

Openfire instances patched as per the instructions will not be vulnerable to this exploit. The security advisory (detailed above) also provides guidance on mitigation for installations which cannot track the latest version immediately.

Further development of the exploit is happening rapidly and is being tracked by the threat intelligence community.

What is Openfire?

Openfire is a fully featured XMPP server used by organisations around the world. It has a 15-year track record/heritage, a dedicated core team of developers, and boasts a broad set of built-in XEP implementations and others available through its plugin architecture. Its extensible, plugin-based architecture provides a valuable platform for features. The vibrant community is something which Surevine is committed to active and ongoing support of, to ensure that all of those who need real-time communications can benefit from that.