exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

OpenFire XMPP 3.9.3 Certificate Handling

OpenFire XMPP 3.9.3 Certificate Handling
Posted Apr 24, 2015
Authored by Simon Waters, Kim Alvefur

OpenFire XMPP versions 3.9.3 and below incorrectly accepts self-signed certificates potentially allowing for spoofing attacks.

tags | advisory, spoof
advisories | CVE-2014-3451, CVE-2015-2080
SHA-256 | d26c2fe0c0cc3b4027d438b3b2eba60b5fcea46aa1cc48496aed16c4a47ece9e

OpenFire XMPP 3.9.3 Certificate Handling

Change Mirror Download
Incorrect handling of self signed certificates in OpenFire XMPP Server


Affected software: OpenFire XMPP server
Affected versions: 3.9.3 and earlier
Vulnerabilities addressed: CVE-2014-3451, CVE-2015-2080

Openfire is a real time collaboration (RTC) server licensed under the Open Source Apache License. It uses the widely adopted open protocol for instant messaging, XMPP (also called Jabber).


Vulnerability details

The OpenFire server would incorrectly accept self signed certificates potentially allowing spoofing attacks.

This issue (CVE-2014-3451) is fixed in release 3.10 (OF-405).

We would like to thank Kim Alvefur for reporting this issue.


Notes on release

The 3.10 release of OpenFire also addresses a reflected XSS issue (OF-845), and upgrades the Jetty library used (addressing CVE-2015-2080).


Release announcement (includes link to download and SHA1 checksums)

https://community.igniterealtime.org/blogs/ignite/2015/04/22/openfire-3100-released



Simon Waters
phone +448454681066
email simon.waters@surevine.com
skype simon.waters.surevine


Participate | Collaborate | Innovate

Surevine Limited, registered in England and Wales with number 06726289. Mailing Address : PO Box 1136, Guildford GU1 9ND
If you think you have received this message in error, please notify us.
Login or Register to add favorites

File Archive:

October 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    39 Files
  • 2
    Oct 2nd
    23 Files
  • 3
    Oct 3rd
    18 Files
  • 4
    Oct 4th
    20 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    17 Files
  • 8
    Oct 8th
    66 Files
  • 9
    Oct 9th
    25 Files
  • 10
    Oct 10th
    20 Files
  • 11
    Oct 11th
    21 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close