Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

REST API 1.10.1 (latest) incompatible with Openfire 4.7.5 (latest) #180

Closed
guusdk opened this issue Aug 4, 2023 · 9 comments
Closed

REST API 1.10.1 (latest) incompatible with Openfire 4.7.5 (latest) #180

guusdk opened this issue Aug 4, 2023 · 9 comments

Comments

@guusdk
Copy link
Member

guusdk commented Aug 4, 2023

It appears that the latest version of the REST API plugin is incompatible with Openfire 4.7.5.

In Ignite's forums, these stacks are reported:

2023.08.02 13:01:26 ERROR [socket_c2s-thread-3]: org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to error while processing message: <iq type="set" id="B4L4wDUThHRg" from="kn4@myserverhere/c0nnectPRO.jGtV" to="[email protected]"><query xmlns="http://jabber.org/protocol/muc#admin"><item jid="kn5@myserverhere" affiliation="outcast"/></query></iq>
java.lang.AbstractMethodError: Receiver class org.jivesoftware.openfire.plugin.rest.RESTServicePlugin does not define or inherit an implementation of the resolved method 'abstract void occupantLeft(org.xmpp.packet.JID, org.xmpp.packet.JID, java.lang.String)' of interface org.jivesoftware.openfire.muc.MUCEventListener.
    at org.jivesoftware.openfire.muc.MUCEventDispatcher.occupantLeft(MUCEventDispatcher.java:68) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.removeOccupantRole(MUCRoom.java:1282) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.kickPresence(MUCRoom.java:2788) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.applyAffiliationChange(MUCRoom.java:2288) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.addOutcast(MUCRoom.java:2135) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.IQAdminHandler.handleItemsElement(IQAdminHandler.java:338) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.IQAdminHandler.handleIQ(IQAdminHandler.java:93) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.process(MultiUserChatServiceImpl.java:1077) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.processRegularStanza(MultiUserChatServiceImpl.java:692) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.processPacket(MultiUserChatServiceImpl.java:454) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.component.InternalComponentManager$RoutableComponents.process(InternalComponentManager.java:863) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.RoutingTableImpl.routeToComponent(RoutingTableImpl.java:541) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.java:354) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.IQRouter.handle(IQRouter.java:340) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.IQRouter.route(IQRouter.java:105) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:74) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.processIQ(StanzaHandler.java:369) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.ClientStanzaHandler.processIQ(ClientStanzaHandler.java:95) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:311) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:198) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:183) [xmppserver-4.7.5.jar:4.7.5]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1015) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:413) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:257) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:106) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.session.IoEvent.run(IoEvent.java:89) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:766) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:758) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:697) [mina-core-2.1.3.jar:?]
    at java.lang.Thread.run(Unknown Source) [?:?]

2023.08.03 07:04:55 ERROR [socket_c2s-thread-2]: org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to error while processing message: <iq to='[email protected]' id='LELXQ-206' type='set'><query xmlns='http://jabber.org/protocol/muc#admin'><item nick='kn2@myserverhere' role='none'><reason>Reason: Kicked!</reason></item></query></iq>
java.lang.AbstractMethodError: Receiver class org.jivesoftware.openfire.plugin.rest.RESTServicePlugin does not define or inherit an implementation of the resolved method 'abstract void occupantLeft(org.xmpp.packet.JID, org.xmpp.packet.JID, java.lang.String)' of interface org.jivesoftware.openfire.muc.MUCEventListener.
    at org.jivesoftware.openfire.muc.MUCEventDispatcher.occupantLeft(MUCEventDispatcher.java:68) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.removeOccupantRole(MUCRoom.java:1282) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.kickPresence(MUCRoom.java:2788) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.kickOccupant(MUCRoom.java:2741) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.IQAdminHandler.handleItemsElement(IQAdminHandler.java:350) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.IQAdminHandler.handleIQ(IQAdminHandler.java:93) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.process(MultiUserChatServiceImpl.java:1077) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.processRegularStanza(MultiUserChatServiceImpl.java:692) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.processPacket(MultiUserChatServiceImpl.java:454) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.component.InternalComponentManager$RoutableComponents.process(InternalComponentManager.java:863) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.RoutingTableImpl.routeToComponent(RoutingTableImpl.java:541) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.java:354) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.IQRouter.handle(IQRouter.java:340) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.IQRouter.route(IQRouter.java:105) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:74) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.processIQ(StanzaHandler.java:369) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.ClientStanzaHandler.processIQ(ClientStanzaHandler.java:95) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:311) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:198) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:183) [xmppserver-4.7.5.jar:4.7.5]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1015) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:413) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:257) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:106) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.session.IoEvent.run(IoEvent.java:89) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:766) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:758) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:697) [mina-core-2.1.3.jar:?]
    at java.lang.Thread.run(Unknown Source) [?:?]
@ArivhaySoft
Copy link

I experienced the same thing and had to downgrade to 4.7.4, still on 4.7.4 I experienced an attack where hackers could enter and create an administart user Screenshot-2023-08-11-at-15-13-11

@CR4567
Copy link

CR4567 commented Aug 18, 2023

Same issues here. We can see lot's of attacks using 4.7.4 but with 4.7.5 REST Plugin is not working anymore.
Is there any chance someone is looking into it? How could we help?

@siunus
Copy link

siunus commented Sep 22, 2023

The same thing happened here.
I tried making a request with Postman, but it returned an HTML login page response.

@bhopeto
Copy link

bhopeto commented Oct 5, 2023

Can be repaired this way #178

@guusdk
Copy link
Member Author

guusdk commented Oct 5, 2023
edited
Loading

The CVE-2023-32315 security vulnerability (update) is not related to this issue (#180). Please refrain from discussing it here. Instead, take that discussion to the Ignite Realtime disucussion forums.

@phopeto is correct. In Openfire 4.7.5 and later, you will need to change the Openfire system property adminConsole.access.allow-wildcards-in-excludes to true for the existing version of the REST API plugin to work (which is documented in both the CVE as well as the readme of the REST API plugin).

@devsead
Copy link

devsead commented Mar 15, 2024
edited
Loading

This issue still exists with Openfire 4.8.1 and REST API 1.10.2 and the
Openfire system property adminConsole.access.allow-wildcards-in-excludes set to true I works for some time but after one day or more the login page redirect is happening on every REST API request.

After restarting the plugin it works again :


2024.03.15 10:59:53.573 INFO  [PluginMonitorTask-2]: org.jivesoftware.openfire.container.PluginManager - Successfully unloaded plugin 'restapi'.
2024.03.15 10:59:54.472 INFO  [PluginMonitorExec-2]: org.jivesoftware.openfire.container.PluginManager - Successfully loaded plugin 'restapi-1.10.2'.
2024.03.15 10:59:54.474 INFO  [PluginMonitorTask-2]: org.jivesoftware.openfire.container.PluginMonitor - Finished processing all plugins.
2024.03.15 11:00:09.102 INFO  [Jetty-QTP-AdminConsole-12007]: org.jivesoftware.openfire.plugin.rest.controller.UserServiceController - Create a new user: xxxx

@guusdk
Copy link
Member Author

guusdk commented Jun 25, 2024
edited
Loading

The stack traces reported in the original comment do not occur any longer with REST API 1.11.0 and Openfire 4.9.0-SNAPSHOT. This suggests that the problem has been fixed.

@guusdk guusdk closed this as completed Jun 25, 2024
@devsead
Copy link

devsead commented Jul 5, 2024

The stack traces reported in the original comment do not occur any longer with REST API 1.11.0 and Openfire 4.9.0-SNAPSHOT. This suggests that the problem has been fixed.

@guusdk Thanks for your comment is Openfire 4.9.0-SNAPSHOT version available to download ?

@guusdk
Copy link
Member Author

guusdk commented Jul 5, 2024

Yes, you can download these from the 'nightly builds' section of our website: https://www.igniterealtime.org/downloads/nightly_openfire.jsp

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@guusdk @devsead @CR4567 @ArivhaySoft @siunus @bhopeto