Open Realtime.
Ignite Realtime is the community site for the users and developers of Jive Software's open source Real Time Communications projects. Your involvement is helping to change the open RTC landscape.
Open Realtime.
Ignite Realtime is the community site for the users and developers of Jive Software's open source Real Time Communications projects. Your involvement is helping to change the open RTC landscape.
Openfire 4.5.6 has been released, that addresses an annoying issue that was affecting the earlier 4.5.5 release. We’ve updated the bundled log4j library to version 2.17.1 for good measure.
The changelog denotes the two Jira issues closed by this release. You can find Openfire build artifacts available for download here and they have the following sha256sum values
3cf7be64dec0ab0d410ec38b15fae00eecd681c72140a8ad3ccc48be52a88982 openfire-4.5.6-1.i686.rpm
16d1d487d852efd80312fa796ffbaa61dd16e7b0e6587234639e9716e82b0745 openfire-4.5.6-1.noarch.rpm
db0fa0f3b0c904f6b15bcac3b4dc60db2aed8f8275f5f6af886d0bc8dbcdaf9c openfire-4.5.6-1.x86_64.rpm
d7f2bca0bc82ef6ad404d36dcf4c3ba65a6f9191a00873a83c6739658ce124c6 openfire_4.5.6_all.deb
c96f79db2a9e434cc08ef5989062eb352e57315a25765c2a4f1442072eadbe07 openfire_4_5_6_bundledJRE.exe
77061c8aae0a892d041b8695f38ba2fe91b2844259654bb2e55bf505b9debe27 openfire_4_5_6_bundledJRE_x64.exe
c65ccbf45a69c0babe2876a9c511910d2601ff301539e9a4c3d94dc1b82952c9 openfire_4_5_6.dmg
5990611b18b9ffff5ff46dc8bb398306fc6361893c230ee5d71ad852564dcd49 openfire_4_5_6.exe
1f155e858a924e54b172fd884ccd49521fc55d89260b2e074e2b39b4271667c4 openfire_4_5_6.tar.gz
6df1c063efd674c059323431f786e9e2a70a3c6573e1012e2b56f6db7877d28f openfire_4_5_6_x64.exe
400269969398c6ed90322ea8d199225b0cdf87a90a840d9aa123c0b941b1cfae openfire_4_5_6.zip
For other release announcements and news follow us on Twitter
Earlier today, we’ve restored the download page for Openfire’s nightly builds. 
For to many moons, it included only a couple of distributions, but now almost all of them are back again (we’re still working on the Mac build though)!
Openfire 4.6.7 has been released with only a single change to bump the bundled log4j library to version 2.17.1. Whilst we do not believe Openfire to be vulnerable to the CVEs associated with the log4j 2.17.0 and 2.17.1 releases, we realize that many folks are running naive security scanners that are simply checking for bundled jar versions.
The changelog denotes the one Jira issue closed by this release. You can find Openfire build artifacts available for download here and they have the following sha256sum values
1a8f1516a3d398b7701ec9a1c8b790a9ece8f3ea59265ccce4e769af5d485f26 openfire-4.6.7-1.i686.rpm
11972b17d60b828345b75fa049469085f22b9aa233082f8fb9bcac90ba0876a6 openfire-4.6.7-1.noarch.rpm
d802fbd9b1a4011fe23c6338d77642cfbc813760d1f5c805bc5934881635edfb openfire-4.6.7-1.x86_64.rpm
4ab20cb022d5068c1dc0c7024350db4ac63b28a757e216e98ee6863d8ec7d253 openfire_4.6.7_all.deb
2157a17479acc12e6392ad10c2c61d38e478438a279c970a15313e1a49cce7ba openfire_4_6_7_bundledJRE.exe
ac1e91d23742493a4d56f489e52f77ee5f1db138091600f84b406956e6b701ef openfire_4_6_7_bundledJRE_x64.exe
baae9416e5979a7dc1c44dab156e540152baf3368e8afe838ee70a64dcaf2ca2 openfire_4_6_7.dmg
b76b304dcbca084830d52da900051f837f605ce22411033fae68a00d28dc0c34 openfire_4_6_7.exe
6b2ba7c4976dbd36249269a453eb176d71a1e7f80575951cdd173d0ec4247056 openfire_4_6_7.tar.gz
fec61e4a573faf634336e535c51112ab94c3f09388ea16948b8c6906ebbdf9ef openfire_4_6_7_x64.exe
1a92b45968719b7de00181d8dcfc5ef10e335b02deafcf7d6a5053a968ed0646 openfire_4_6_7.zip
At this point and due to limited community usage, we do not plan to create an additional 4.5 series release with this associated change. Please note that the 4.7.0-beta release of Openfire was made prior to all the security vulnerabilities associated with log4j and is thus vulnerable. We hope to finalize a 4.7.0 release very soon, which will also bring log4j to version 2.17.1. Update: we needed a 4.5 release for a different issue. We pulled in the log4j update as we were releasing anyway.
Thanks for your usage and interest in Openfire!
For other release announcements and news follow us on Twitter
As we’re monitoring developments around the recent Log4j vulnerabilities, we’ve decided to provide another update for Openfire to pull in the latests available updates from Log4j.
Since the previous release, the Log4j team released a new version (2.16.0) of their library, that provides better protection against the original vulnerability (CVE-2021-44228), but also guards against a newly discovered vulnerability (CVE-2021-45046) in Log4j.
The Ignite Realtime community has decided to immediately make available new releases of Openfire that include this newer version of Log4j: Openfire 4.6.6 and Openfire 4.5.5.
In addition to upgrading the Log4j libraries to version 2.16.0, we have put in place the mitigation measures that were defined for these CVEs. It’s important to note that these mitigation measures are known to be insufficient to fully protect against the vulnerabilities. However, the update to version 2.16.0 of Log4j makes these measures redundant. We have opted to include them anyway, as we know that many of you modify Openfire to a great extent. If such modifications would inadvertently re-introduce a vulnerable version of Log4j, at least some mitigation is in place. No changes other than these Log4j-related changes are included in the releases that we are publishing today.
We are aware that for some, the process of deploying a new major version of Openfire is not a trivial matter, as it may encompass a lot more than only performing the update of the executables. Depending on regulations that are in place, this process can require a lot of effort and take a long time to complete. To facilitate users that currently use an older version of Openfire, we are also making available a new release in the older 4.5 branch of Openfire that pulls in the Log4j update. An upgrade to that version will, for some, require a lot less effort. Note well: although we are making available a new version in the 4.5 branch of Openfire, we strongly recommend that you upgrade to the latest version of Openfire (currently in the 4.6 branch), as that includes important fixes and improvements that are not available in 4.5.
The following sha256 checksums are valid for the Openfire 4.6.6 distributables:
507b4899fb1c84b0ffd95c29278eeefd56ac63849bb730192b26779997ada21b openfire-4.6.6-1.i686.rpm
d2913d913449a9e255b10ea6ee22a5967083a295038c21d3b761bb236c22e0cd openfire-4.6.6-1.noarch.rpm
02aa7af09286f25fbceef1ea27940e1696ced1e3a6c28b5e0ae094d409580734 openfire-4.6.6-1.x86_64.rpm
3add3c877745dcc6aacd335cfc8fe1674567bb3b28728cfa6c008556c59a9e98 openfire_4.6.6_all.deb
00c5ecbbf725de1093bfe3e5774b8c0e532742435439f70a4435fc5bed828b99 openfire_4_6_6_bundledJRE.exe
4ff92208e62f0455295a8cf68d57e2d9e3ede15c71aaab26cf1a410dce5aba5b openfire_4_6_6_bundledJRE_x64.exe
2584a6b61f0d9447a868f9bfadb5892d56d854198604b3ace9b638b8c217cac4 openfire_4_6_6.dmg
6cc42bfb60a5f8453c37d980c24c2a5ba48e1e1363ebfcc5d7f2e1deb6da5f17 openfire_4_6_6.exe
6431a22d2dd9f077b9b2ee8949238c0f076ab34d43ee200a6873fa5453630bd6 openfire_4_6_6.tar.gz
ec8da5fdc93065df9bf41c0f4aebd6bb47f1dea11dcc96665ac0105f035378b2 openfire_4_6_6_x64.exe
af68252b98b8af6afb0753b4054adcf4cab1968579eaaf644d4da663e9461dce openfire_4_6_6.zip
For Openfire 4.5.5, the sha256 checksums are:
247f0769e0a449c698ac9c23b658a02131ac6f774f4394dc9bb4e7f114159cc8 openfire-4.5.5-1.i686.rpm
4603f92ce9822d1f43d27a9e15b859232cd09f391e9aeef0b99a782a03ecd12e openfire-4.5.5-1.noarch.rpm
9df54cbef30664635ed2977a21beded56fa120c5ff9e89b4cfa7466171344517 openfire-4.5.5-1.x86_64.rpm
0815f07094fcfaf4e17aca3ea26f42835b5ff1b486475aff6b743e914709e788 openfire_4.5.5_all.deb
dff2e81da7457e3d8c1ee9e23ff43dd812f56db09df53588df7a5ea5622b1e6e openfire_4_5_5_bundledJRE.exe
96c2a4f5ed94dda76942ec7e540430c505448a2625a10f52cdc91c2dae0f720a openfire_4_5_5_bundledJRE_x64.exe
a1ddd675b24b661186645786d1489cb6d80c90c2cae178992af509b5241fb275 openfire_4_5_5.dmg
971b97bc9d405a03d2c3fba51a698cf92397b24104b28fec06b993b6d52568ce openfire_4_5_5.exe
a5f199bf2347725b952a995c1cfbeb1b8e45c9a26c177100669eeed7679da742 openfire_4_5_5.tar.gz
b5b55c5938b430fa50c702da6b8336be7f79d2c97eb09623dc0c9bd59663aead openfire_4_5_5_x64.exe
44f90a4f4f7ecebd7cffadc7f108e4bcb8b70dc77b36698d48efaf3eb7650c91 openfire_4_5_5.zip
The process of upgrading is outlined in the Openfire upgrade guide. If you would prefer to enlist support in applying this update, various professional partners are available that can help.
We are always happy to hear about your experiences, good or bad! Please consider dropping a note in the community forums or hang out with us in our web support groupchat.
For other release announcements and news follow us on Twitter!
Although we’re preparing for the Openfire 4.7.0 release, the recently discovered vulnerability in the Apache Log4j utility prompted us to push an immediate release of Openfire to address that issue. This release, Openfire 4.6.5, is available now.
We urge you to update as soon as possible. If that’s not feasible, then we advise you to apply the documented workaround (in the form of adding the following argument in the start script for Openfire: -Dlog4j2.formatMsgNoLookups=true) and/or look into applying other mitigating actions.
The process of upgrading is outlined in the Openfire upgrade guide. Please note that, if desired, a significant amount of professional partners is available that can provide commercial support.
You can find Openfire release artifacts on the download page. These are the the applicable sha256sums:
926e852abfe67970a4a64b7a58d16adbd3ae65269921288909d2a353457ac350 openfire-4.6.5-1.i686.rpm
5041fd66f5cf4642d25012642d827ad80c40057ba66f79aad04918edc94085ec openfire-4.6.5-1.noarch.rpm
f1d7ed2d5d5bbd12c3af896329df48f97b73ae5435980b524248760a246552f6 openfire-4.6.5-1.x86_64.rpm
da113f737514457209194024f57a90f52f499fefbf0a9eb3e3d888b24f214ece openfire_4.6.5_all.deb
c16e13348767b489aef905d912eafca9650428af16a729b63a208fdbe97c9783 openfire_4_6_5_bundledJRE.exe
e03cd4e5b2a76b203540580ca2714541ee86b1ef3b677d5c312d099567674f2d openfire_4_6_5_bundledJRE_x64.exe
28d628db9cce3cfb7acfa19977235b569729bcebff65a511dd882a4c1b554d6c openfire_4_6_5.dmg
cb1c4a5f888cbeeb6bbfd29460c8095941cecddd8c5f03b3d3f1ca412a995e81 openfire_4_6_5.exe
fcc3d45e9b80536b463fedbb959ff1e4f5fc5cef180502f6810c0f025a01f4ac openfire_4_6_5.tar.gz
fe216d1eecb23050ebbf28f7afa8930ca167d99516051c3f5e03d545e183cf4c openfire_4_6_5_x64.exe
fd0f853b249a8853da51b056f1e6b31d04c49763394321dbd60abb8cef9df940 openfire_4_6_5.zip
Apart from addressing the log4j issue, this release includes a small number of other modifications, as documented in the changelog.
We’re always happy to hear about your experiences, good or bad! Please consider dropping a note in the community forums or hang out with us in our web support groupchat.
For other release announcements and news follow us on Twitter
In the community
Recent Discussions
Алексей Опрышко in "Openfire 4.6.7 build 348185c"
techwonder in "Archiving Tab is Missing on Admin Console"
techwonder in "Openfire Missing Archive Tab in Admin Console"
Poliano Martini in "Websocket - Error detected; session"
Michal D. in "[question] External access to Openfire's embed database"