Vulnerability Note VU#495476
Openfire contains an uncontrolled resource consumption vulnerability
Original Release date: 16 Apr 2014 | Last revised: 23 Apr 2014
Openfire 3.9.1, and possibly earlier versions, contains an uncontrolled resource consumption (CWE-400) vulnerability when using XMPP DEFLATE message compression.
Openfire 3.9.1, and possibly earlier versions, contains an uncontrolled resource consumption (CWE-400) vulnerability when using XMPP DEFLATE message compression. It has been reported that a highly compressed XMPP message of 4MB that uncompresses to 4GB may cause a resource exhaustion denial of service. The highly compressed XMPP messages may be sent in parallel to enhance the denial of service.
A remote unauthenticated attacker may be able to cause a denial-of-service condition.
We are currently unaware of a practical solution to this problem. A fix is available in the development branch of Openfire but a stable release is not available yet. Please consider the following workarounds.
Restrict Network Access
As a general good security practice, only allow connections from trusted hosts and networks if possible. Restricting access would prevent an attacker from connecting to the service from a blocked network location.
Disable XMPP Compression
Navigate to the menu Server -> Server Settings -> Compression Settings -> Client Compression Policy and check the option Not Available – Clients will not receive the option to use compressed traffic.
Vendor Information (Learn More)
VendorStatusDate NotifiedDate UpdatedOpenfireAffected25 Feb 201416 Apr 2014If you are a vendor and your product is affected, let
CVSS Metrics (Learn More)
Thanks to Giancarlo Pellegrino for reporting this vulnerability.
This document was written by Jared Allar.
16 Apr 2014
Date First Published:
16 Apr 2014
Date Last Updated:
23 Apr 2014
FeedbackIf you have feedback, comments, or additional information about this vulnerability, please send us email.