CVE-2025-59154 (GCVE-0-2025-59154)

Vulnerability from cvelistv5

Published

2025-09-15 20:03

Modified

2025-09-15 20:11

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

CWE

CWE-290 - Authentication Bypass by Spoofing

Summary

Openfire is an XMPP server licensed under the Open Source Apache License. Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU="CN=admin,"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0.

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43
	security-advisories@github.com	https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3122
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3123
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3124

Impacted products

	Vendor	Product	Version
	igniterealtime	Openfire	Version: < 5.0.2

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-59154",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-09-15T20:11:37.246059Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-09-15T20:11:46.822Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Openfire",
          "vendor": "igniterealtime",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 5.0.2"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU=\"CN=admin,\"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-290",
              "description": "CWE-290: Authentication Bypass by Spoofing",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-15T20:03:34.341Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp"
        },
        {
          "name": "https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43"
        },
        {
          "name": "https://igniterealtime.atlassian.net/browse/OF-3122",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://igniterealtime.atlassian.net/browse/OF-3122"
        },
        {
          "name": "https://igniterealtime.atlassian.net/browse/OF-3123",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://igniterealtime.atlassian.net/browse/OF-3123"
        },
        {
          "name": "https://igniterealtime.atlassian.net/browse/OF-3124",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://igniterealtime.atlassian.net/browse/OF-3124"
        }
      ],
      "source": {
        "advisory": "GHSA-w252-645g-87mp",
        "discovery": "UNKNOWN"
      },
      "title": "Openfire allows potential identity spoofing via unsafe CN parsing"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2025-59154",
    "datePublished": "2025-09-15T20:03:34.341Z",
    "dateReserved": "2025-09-09T15:23:16.327Z",
    "dateUpdated": "2025-09-15T20:11:46.822Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-59154\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2025-09-15T20:15:39.237\",\"lastModified\":\"2025-09-16T12:49:16.060\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU=\\\"CN=admin,\\\"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N\",\"baseScore\":5.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"HIGH\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":0.7,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-290\"}]}],\"references\":[{\"url\":\"https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://igniterealtime.atlassian.net/browse/OF-3122\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://igniterealtime.atlassian.net/browse/OF-3123\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://igniterealtime.atlassian.net/browse/OF-3124\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-59154\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-09-15T20:11:37.246059Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-09-15T20:11:40.859Z\"}}], \"cna\": {\"title\": \"Openfire allows potential identity spoofing via unsafe CN parsing\", \"source\": {\"advisory\": \"GHSA-w252-645g-87mp\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 5.9, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"HIGH\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"igniterealtime\", \"product\": \"Openfire\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 5.0.2\"}]}], \"references\": [{\"url\": \"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp\", \"name\": \"https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43\", \"name\": \"https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://igniterealtime.atlassian.net/browse/OF-3122\", \"name\": \"https://igniterealtime.atlassian.net/browse/OF-3122\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://igniterealtime.atlassian.net/browse/OF-3123\", \"name\": \"https://igniterealtime.atlassian.net/browse/OF-3123\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://igniterealtime.atlassian.net/browse/OF-3124\", \"name\": \"https://igniterealtime.atlassian.net/browse/OF-3124\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU=\\\"CN=admin,\\\"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-290\", \"description\": \"CWE-290: Authentication Bypass by Spoofing\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2025-09-15T20:03:34.341Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-59154\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-09-15T20:11:46.822Z\", \"dateReserved\": \"2025-09-09T15:23:16.327Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2025-09-15T20:03:34.341Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}

ghsa-w252-645g-87mp

Vulnerability from github

Published

2025-09-16 01:54

Modified

2025-09-16 01:54

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Summary

Openfire has potential identity spoofing issue via unsafe CN parsing

Details

Summary

Identity spoofing in X.509 client certificate authentication in Openfire allows internal attackers to impersonate other users via crafted certificate subject attributes, due to regex-based extraction of CN from an unescaped, provider-dependent DN string.

Analysis

Openfire’s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped.

As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU="CN=admin,"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user.

Impact

When there is no explicit configuration override, Openfire defaults to using certificate attributes as follows:

Server-to-server certificates: first the Subject Alternative Name (SAN), and if that is not available, the Common Name (CN).
Client-to-server certificates: only the Common Name (CN).

Use of CN for identity mapping was phased out by the CA/Browser Forum. CAB Forum-compliant CAs no longer allow arbitrary Subject RDNs and always include SANs. As a result, certificates issued by public CAs for use on the open Internet are unlikely to be exploitable, though older certificates still within their validity period could theoretically be abused.

The primary risks exist in private CA environments and client certificate authentication, where identity mapping may rely solely on the CN. Both of these are niche deployment scenarios.

Patches

The path has been prepared by replacing the use of getSubjectDN().getName() with standards-compliant LdapName parsing of the RFC2253 representation of X500Principal. This avoids unescaped provider-dependent strings and prevents regex from matching malicious substrings.

The fix is included in Openfire 5.0.2 and 5.1.0. Users should upgrade to this version as soon as it becomes available.

Starting in Openfire 5.0.2, Openfire will by default prefer a Subject Alternative Name-based identity over a Common Name based one for client-to-server authentication (issue OF-3123). For server-to-server authentication, this already is the case.

In Openfire 5.1.0, Openfire will no longer, by default, use Common Name based identities, although this functionality can be restored through configuration changes (issue OF-3122).

Workarounds

The vulnerability is fixed in the upcoming release, but there are operational mitigations you can apply today.

Full workaround (drop-in replacement JAR using the fixed mapper)

This is a complete workaround: 1. Take the fixed mapper implementation (the code that uses LdapName / RFC2253 parsing) from the patched Openfire source. 2. Create a new Java class in your proprietary namespace (for example com.acme.openfire.SafeCNCertificateIdentityMapping) that implements the same Openfire certificate-identity mapping interface and contains the fixed parsing logic. Ensure the logic exactly mirrors the patched behavior (use X500Principal.getName() with RFC2253 and javax.naming.ldap.LdapName to parse RDNs, do not rely on getSubjectDN().getName() or provider-dependent strings). 3. Package the class into a JAR file. 4. Place the JAR into Openfire’s lib/ directory (e.g. $OPENFIRE_HOME/lib/your-fixed-mapper.jar). 5. Configure Openfire to use your class for mapping by setting the following properties (in the admin console / system properties). Note that it remains advisable to configure Openfire to keep preferring SAN-based identities: ```

For server-to-server identity mapping

provider.serverCertIdentityMap.classList=org.jivesoftware.util.cert.SANCertificateIdentityMapping,com.acme.openfire.SafeCNCertificateIdentityMapping

For client-to-server identity mapping

provider.clientCertIdentityMap.classList=org.jivesoftware.util.cert.SANCertificateIdentityMapping,com.acme.openfire.SafeCNCertificateIdentityMapping ``` Both properties accept a comma-separated list of fully-qualified class names; listing only your safe mapper forces Openfire to use your implementation instead of the vulnerable built-in mapper. After placing the JAR and updating properties, restart Openfire.

Notes & caveats for the full workaround

This is effectively a complete mitigation for the vulnerable CN-extraction behavior without deploying a new official release.
Maintain the JAR: you are responsible for keeping the custom class updated if you upgrade Openfire to newer major versions.
Ensure your custom mapper truly implements the patched parsing (do not copy the vulnerable getSubjectDN().getName() + regex approach). Use X500Principal → getName(RFC2253) → new LdapName(...) → iterate RDNs in a robust way.
Because this runs in the Openfire JVM, follow your organization’s binary-signing and review policies before deploying.

Other, lesser workarounds

Use SAN-only mapping

Configure the mapper list to only include Openfire’s SAN mapper: org.jivesoftware.util.cert.SANCertificateIdentityMapping. This prevents CN parsing-based spoofing but breaks authentication for certificates that contain only a CN and no SAN.

Disable certificate-based authentication:

For server-to-server, disabling certificate auth leaves only Server Dialback, which is less secure; depending on your environment, this may be a worse trade-off.
For client-to-server, disable “mutual authentication” in the admin console to stop client cert authentication altogether.

References

Openfire issue tracker: OF-3124: Potential identity spoofing via unsafe CN parsing
Affected code: CNCertificateIdentityMapping.java#L43
Openfire issue tracker: OF-3122: Stop by default using Common Name based identities
Openfire issue tracker: OF-3123: For client mutual authentication, prefer Subject Alternative Name for identities

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.igniterealtime.openfire:xmppserver"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-59154"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-290"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-16T01:54:24Z",
    "nvd_published_at": "2025-09-15T20:15:39Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\n\nIdentity spoofing in X.509 client certificate authentication in Openfire allows internal attackers to impersonate other users via crafted certificate subject attributes, due to regex-based extraction of CN from an unescaped, provider-dependent DN string.\n\n## Analysis\n\nOpenfire\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls `X509Certificate.getSubjectDN().getName()` and applies a regex to look for `CN=`. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (`sun.security.x509.X500Name`), for example, commas and equals signs inside attribute values are not escaped.\n\nAs a result, a malicious certificate can embed `CN=` inside another attribute value (e.g. `OU=\"CN=admin,\"`). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user.\n\n## Impact\n\nWhen there is no explicit configuration override, Openfire defaults to using certificate attributes as follows:\n\n- Server-to-server certificates: first the Subject Alternative Name (SAN), and if that is not available, the Common Name (CN).\n- Client-to-server certificates: only the Common Name (CN).\n\nUse of CN for identity mapping was phased out by the CA/Browser Forum. CAB Forum-compliant CAs no longer allow arbitrary Subject RDNs and always include SANs. As a result, certificates issued by public CAs for use on the open Internet are unlikely to be exploitable, though older certificates still within their validity period could theoretically be abused.\n\nThe primary risks exist in private CA environments and client certificate authentication, where identity mapping may rely solely on the CN. Both of these are niche deployment scenarios.\n\n## Patches\n\nThe path has been prepared by replacing the use of `getSubjectDN().getName()` with standards-compliant `LdapName` parsing of the RFC2253 representation of `X500Principal`. This avoids unescaped provider-dependent strings and prevents regex from matching malicious substrings.  \n\nThe fix is included in Openfire 5.0.2 and 5.1.0. Users should upgrade to this version as soon as it becomes available.  \n\nStarting in Openfire 5.0.2, Openfire will by default prefer a Subject Alternative Name-based identity over a Common Name based one for client-to-server authentication (issue OF-3123). For server-to-server authentication, this already is the case.\n\nIn Openfire 5.1.0, Openfire will no longer, by default, use Common Name based identities, although this functionality can be restored through configuration changes (issue OF-3122).\n \n## Workarounds\n\nThe vulnerability is fixed in the upcoming release, but there are operational mitigations you can apply today.\n\n### Full workaround (drop-in replacement JAR using the fixed mapper)\n _This is a complete workaround:_\n1. Take the fixed mapper implementation (the code that uses LdapName / RFC2253 parsing) from the patched Openfire source.\n2. Create a new Java class in your proprietary namespace (for example `com.acme.openfire.SafeCNCertificateIdentityMapping`) that implements the same Openfire certificate-identity mapping interface and contains the fixed parsing logic. Ensure the logic exactly mirrors the patched behavior (use `X500Principal.getName()` with RFC2253 and `javax.naming.ldap.LdapName` to parse RDNs, do not rely on `getSubjectDN().getName()` or provider-dependent strings).\n3. Package the class into a JAR file.\n4. Place the JAR into Openfire\u2019s lib/ directory (e.g. `$OPENFIRE_HOME/lib/your-fixed-mapper.jar`).\n5. Configure Openfire to use your class for mapping by setting the following properties (in the admin console / system properties). Note that it remains advisable to configure Openfire to keep preferring SAN-based identities:\n```\n# For server-to-server identity mapping\nprovider.serverCertIdentityMap.classList=org.jivesoftware.util.cert.SANCertificateIdentityMapping,com.acme.openfire.SafeCNCertificateIdentityMapping\n\n# For client-to-server identity mapping\nprovider.clientCertIdentityMap.classList=org.jivesoftware.util.cert.SANCertificateIdentityMapping,com.acme.openfire.SafeCNCertificateIdentityMapping\n```\nBoth properties accept a comma-separated list of fully-qualified class names; listing only your safe mapper forces Openfire to use your implementation instead of the vulnerable built-in mapper. After placing the JAR and updating properties, *restart Openfire*.\n\n**Notes \u0026 caveats for the full workaround**\n\n- This is effectively a complete mitigation for the vulnerable CN-extraction behavior without deploying a new official release.\n- Maintain the JAR: you are responsible for keeping the custom class updated if you upgrade Openfire to newer major versions.\n- Ensure your custom mapper truly implements the patched parsing (do not copy the vulnerable `getSubjectDN().getName()` + regex approach). Use `X500Principal` \u2192 `getName(RFC2253)` \u2192 `new LdapName(...)` \u2192 iterate RDNs in a robust way.\n- Because this runs in the Openfire JVM, follow your organization\u2019s binary-signing and review policies before deploying.\n\n### Other, lesser workarounds\n\n#### Use SAN-only mapping\nConfigure the mapper list to only include Openfire\u2019s SAN mapper: `org.jivesoftware.util.cert.SANCertificateIdentityMapping`. This prevents CN parsing-based spoofing but breaks authentication for certificates that contain only a CN and no SAN.\n\n#### Disable certificate-based authentication:\n- For server-to-server, disabling certificate auth leaves only Server Dialback, which is less secure; depending on your environment, this may be a worse trade-off.\n- For client-to-server, disable \u201cmutual authentication\u201d in the admin console to stop client cert authentication altogether.\n\n## References\n\n- Openfire issue tracker: [OF-3124: Potential identity spoofing via unsafe CN parsing](https://igniterealtime.atlassian.net/browse/OF-3124)\n- Affected code: [CNCertificateIdentityMapping.java#L43](https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43)  \n- Openfire issue tracker: [OF-3122: Stop by default using Common Name based identities](https://igniterealtime.atlassian.net/browse/OF-3122)\n- Openfire issue tracker: [OF-3123: For client mutual authentication, prefer Subject Alternative Name for identities](https://igniterealtime.atlassian.net/browse/OF-3123)",
  "id": "GHSA-w252-645g-87mp",
  "modified": "2025-09-16T01:54:24Z",
  "published": "2025-09-16T01:54:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59154"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/igniterealtime/Openfire"
    },
    {
      "type": "WEB",
      "url": "https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43"
    },
    {
      "type": "WEB",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3122"
    },
    {
      "type": "WEB",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3123"
    },
    {
      "type": "WEB",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3124"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Openfire has potential identity spoofing issue via unsafe CN parsing"
}

fkie_cve-2025-59154

Vulnerability from fkie_nvd

Published

2025-09-15 20:15

Modified

2025-09-16 12:49

Severity ?

5.9 (Medium) - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N

Summary

References

▼	URL	Tags
	security-advisories@github.com	https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43
	security-advisories@github.com	https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3122
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3123
	security-advisories@github.com	https://igniterealtime.atlassian.net/browse/OF-3124

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Openfire is an XMPP server licensed under the Open Source Apache License. Openfire\u2019s SASL EXTERNAL mechanism for client TLS authentication contains a vulnerability in how it extracts user identities from X.509 certificates. Instead of parsing the structured ASN.1 data, the code calls X509Certificate.getSubjectDN().getName() and applies a regex to look for CN=. This method produces a provider-dependent string that does not escape special characters. In SunJSSE (sun.security.x509.X500Name), for example, commas and equals signs inside attribute values are not escaped. As a result, a malicious certificate can embed CN= inside another attribute value (e.g. OU=\"CN=admin,\"). The regex will incorrectly interpret this as a legitimate Common Name and extract admin. If SASL EXTERNAL is enabled and configured to map CNs to user accounts, this allows the attacker to impersonate another user. The fix is included in Openfire 5.0.2 and 5.1.0."
    }
  ],
  "id": "CVE-2025-59154",
  "lastModified": "2025-09-16T12:49:16.060",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 5.9,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "HIGH",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 0.7,
        "impactScore": 5.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-09-15T20:15:39.237",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/igniterealtime/Openfire/blob/8d073dda36905da0fdee7cb623c025a01a5cbf6b/xmppserver/src/main/java/org/jivesoftware/util/cert/CNCertificateIdentityMapping.java#L43"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/igniterealtime/Openfire/security/advisories/GHSA-w252-645g-87mp"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3122"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3123"
    },
    {
      "source": "security-advisories@github.com",
      "url": "https://igniterealtime.atlassian.net/browse/OF-3124"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-290"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2025-59154 (GCVE-0-2025-59154)

Vulnerability from cvelistv5

ghsa-w252-645g-87mp

Vulnerability from github

Summary

Analysis

Impact

Patches

Workarounds

Full workaround (drop-in replacement JAR using the fixed mapper)

For server-to-server identity mapping

For client-to-server identity mapping

Other, lesser workarounds

Use SAN-only mapping

Disable certificate-based authentication:

References

fkie_cve-2025-59154

Vulnerability from fkie_nvd

Tags

Sightings

Nomenclature