CVE-2023-32315: 
Java vulnerability analysis and mitigation

Openfire's administrative console, a web-based application, was found to be vulnerable to a path traversal attack via the setup environment (CVE-2023-32315). This vulnerability affects all versions of Openfire released since April 2015, starting with version 3.10.0 through versions prior to 4.7.5 and 4.6.8. The vulnerability permits an unauthenticated user to access restricted pages in the Openfire Admin Console that are reserved for administrative users (GitHub Advisory).

The vulnerability exists because path traversal protections did not defend against certain non-standard URL encoding for UTF-16 characters that were not initially supported by the embedded webserver. When the webserver was later upgraded to include support for non-standard URL encoding of UTF-16 characters, the path traversal protections were not updated accordingly. The vulnerability can be exploited through specially crafted URLs using UTF-16 encoding patterns, such as accessing http://localhost:9090/setup/setup-s/%u002e%u002e/%u002e%u002e/log.jsp (GitHub Advisory).

The vulnerability allows unauthenticated attackers to bypass authentication and access administrative console pages, potentially leading to unauthorized access to sensitive data and administrative functions. Attackers can create new admin console user accounts and install malicious plugins containing remote web shells, enabling arbitrary command execution and data access on the server (SecurityWeek).

The vulnerability has been patched in Openfire releases 4.7.5, 4.6.8, and 4.8.0. If immediate upgrade is not possible, several mitigation steps are recommended: restrict network access using firewalls or ACLs, modify runtime configuration to remove wildcard characters from web.xml, bind the admin console to the loopback interface, or use the AuthFilterSanitizer plugin. Organizations using older versions of plugins should upgrade to Random Avatar plugin v1.1.0+, Monitoring Service plugin v2.5.0+, and HTTP File Upload plugin v1.3.0+ (GitHub Advisory).

A July 2024 bulletin from multiple U.S. government agencies indicated that North Korean state-sponsored attackers have demonstrated interest in this vulnerability, though it's unclear whether it was exploited or just used in reconnaissance/target selection (AttackerKB).