Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Test / instruct limiting exposure of admin console to loopback interface

Description

A mitigating action is to limit network access to the admin console. This will make it harder for malicious users to abuse the vulnerability.

One way of doing this is by making changes to openfire.xml , by defining the loopback interface as the only interface on which the admin console is made available.

Test if this configuration in openfire.xml is effective (eg: does using this setting actually prevent access from outside of the local host - I have never used it).

The Security Vulnerability should contain a definition for this as a mitigating action. Add examples and illustrations.

Environment

None

Activity

Show:

Guus der Kinderen May 17, 2023 at 8:49 AM

We’ve found that using 127.0.0.1 generically works on all tested environments. To simplify instructions, the Security Advisory description was modified to suggest that value, instead of platform-dependant values.

Dan Caseley May 9, 2023 at 9:30 PM

Security Advisory updated.

Dan Caseley May 9, 2023 at 9:27 PM

Windows doesn’t have a loopback interface by default. Using lo gets you an Admin Console accessible by nobody at all - super secure

Using 127.0.0.1 for the interface works as expected though.

Dan Caseley May 9, 2023 at 8:25 PM

Have tested the instructions on Linux, using a Docker container.

When added to the openfire.xml, the container is accessible on 7070 but not 9090/9091.

Needs some Windows testing next….

Dan Caseley May 9, 2023 at 8:00 PM

Fixed

Details

Assignee

Reporter

Priority

Created May 9, 2023 at 2:58 PM
Updated May 17, 2023 at 8:49 AM
Resolved May 12, 2023 at 4:23 PM