REST API 1.10.1 (latest) incompatible with Openfire 4.7.5 (latest)

[guusdk]

It appears that the latest version of the REST API plugin is incompatible with Openfire 4.7.5.

In Ignite's forums, these stacks are reported:

2023.08.02 13:01:26 ERROR [socket_c2s-thread-3]: org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to error while processing message: <iq type="set" id="B4L4wDUThHRg" from="kn4@myserverhere/c0nnectPRO.jGtV" to="[email protected]"><query xmlns="http://jabber.org/protocol/muc#admin"><item jid="kn5@myserverhere" affiliation="outcast"/></query></iq>
java.lang.AbstractMethodError: Receiver class org.jivesoftware.openfire.plugin.rest.RESTServicePlugin does not define or inherit an implementation of the resolved method 'abstract void occupantLeft(org.xmpp.packet.JID, org.xmpp.packet.JID, java.lang.String)' of interface org.jivesoftware.openfire.muc.MUCEventListener.
    at org.jivesoftware.openfire.muc.MUCEventDispatcher.occupantLeft(MUCEventDispatcher.java:68) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.removeOccupantRole(MUCRoom.java:1282) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.kickPresence(MUCRoom.java:2788) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.applyAffiliationChange(MUCRoom.java:2288) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.addOutcast(MUCRoom.java:2135) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.IQAdminHandler.handleItemsElement(IQAdminHandler.java:338) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.IQAdminHandler.handleIQ(IQAdminHandler.java:93) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.process(MultiUserChatServiceImpl.java:1077) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.processRegularStanza(MultiUserChatServiceImpl.java:692) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.processPacket(MultiUserChatServiceImpl.java:454) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.component.InternalComponentManager$RoutableComponents.process(InternalComponentManager.java:863) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.RoutingTableImpl.routeToComponent(RoutingTableImpl.java:541) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.java:354) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.IQRouter.handle(IQRouter.java:340) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.IQRouter.route(IQRouter.java:105) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:74) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.processIQ(StanzaHandler.java:369) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.ClientStanzaHandler.processIQ(ClientStanzaHandler.java:95) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:311) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:198) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:183) [xmppserver-4.7.5.jar:4.7.5]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1015) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:413) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:257) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:106) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.session.IoEvent.run(IoEvent.java:89) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:766) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:758) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:697) [mina-core-2.1.3.jar:?]
    at java.lang.Thread.run(Unknown Source) [?:?]

2023.08.03 07:04:55 ERROR [socket_c2s-thread-2]: org.jivesoftware.openfire.nio.ConnectionHandler - Closing connection due to error while processing message: <iq to='[email protected]' id='LELXQ-206' type='set'><query xmlns='http://jabber.org/protocol/muc#admin'><item nick='kn2@myserverhere' role='none'><reason>Reason: Kicked!</reason></item></query></iq>
java.lang.AbstractMethodError: Receiver class org.jivesoftware.openfire.plugin.rest.RESTServicePlugin does not define or inherit an implementation of the resolved method 'abstract void occupantLeft(org.xmpp.packet.JID, org.xmpp.packet.JID, java.lang.String)' of interface org.jivesoftware.openfire.muc.MUCEventListener.
    at org.jivesoftware.openfire.muc.MUCEventDispatcher.occupantLeft(MUCEventDispatcher.java:68) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.removeOccupantRole(MUCRoom.java:1282) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.kickPresence(MUCRoom.java:2788) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.MUCRoom.kickOccupant(MUCRoom.java:2741) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.IQAdminHandler.handleItemsElement(IQAdminHandler.java:350) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.IQAdminHandler.handleIQ(IQAdminHandler.java:93) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.process(MultiUserChatServiceImpl.java:1077) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.processRegularStanza(MultiUserChatServiceImpl.java:692) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.muc.spi.MultiUserChatServiceImpl.processPacket(MultiUserChatServiceImpl.java:454) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.component.InternalComponentManager$RoutableComponents.process(InternalComponentManager.java:863) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.RoutingTableImpl.routeToComponent(RoutingTableImpl.java:541) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.RoutingTableImpl.routePacket(RoutingTableImpl.java:354) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.IQRouter.handle(IQRouter.java:340) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.IQRouter.route(IQRouter.java:105) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.spi.PacketRouterImpl.route(PacketRouterImpl.java:74) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.processIQ(StanzaHandler.java:369) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.ClientStanzaHandler.processIQ(ClientStanzaHandler.java:95) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:311) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.net.StanzaHandler.process(StanzaHandler.java:198) ~[xmppserver-4.7.5.jar:4.7.5]
    at org.jivesoftware.openfire.nio.ConnectionHandler.messageReceived(ConnectionHandler.java:183) [xmppserver-4.7.5.jar:4.7.5]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.messageReceived(DefaultIoFilterChain.java:1015) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.IoFilterAdapter.messageReceived(IoFilterAdapter.java:122) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.codec.ProtocolCodecFilter$ProtocolDecoderOutputImpl.flush(ProtocolCodecFilter.java:413) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.codec.ProtocolCodecFilter.messageReceived(ProtocolCodecFilter.java:257) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.callNextMessageReceived(DefaultIoFilterChain.java:650) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1300(DefaultIoFilterChain.java:49) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.messageReceived(DefaultIoFilterChain.java:1128) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.filterchain.IoFilterEvent.fire(IoFilterEvent.java:106) [mina-core-2.1.3.jar:?]
    at org.apache.mina.core.session.IoEvent.run(IoEvent.java:89) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTask(OrderedThreadPoolExecutor.java:766) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.runTasks(OrderedThreadPoolExecutor.java:758) [mina-core-2.1.3.jar:?]
    at org.apache.mina.filter.executor.OrderedThreadPoolExecutor$Worker.run(OrderedThreadPoolExecutor.java:697) [mina-core-2.1.3.jar:?]
    at java.lang.Thread.run(Unknown Source) [?:?]

[ArivhaySoft]

I experienced the same thing and had to downgrade to 4.7.4, still on 4.7.4 I experienced an attack where hackers could enter and create an administart user

[CR4567]

Same issues here. We can see lot's of attacks using 4.7.4 but with 4.7.5 REST Plugin is not working anymore. Is there any chance someone is looking into it? How could we help?

[siunus]

The same thing happened here. I tried making a request with Postman, but it returned an HTML login page response.

[bhopeto]

Can be repaired this way #178

[guusdk]

The CVE-2023-32315 security vulnerability (update) is not related to this issue (#180). Please refrain from discussing it here. Instead, take that discussion to the Ignite Realtime disucussion forums.

@phopeto is correct. In Openfire 4.7.5 and later, you will need to change the Openfire system property adminConsole.access.allow-wildcards-in-excludes to true for the existing version of the REST API plugin to work (which is documented in both the CVE as well as the readme of the REST API plugin).

[devsead]

This issue still exists with Openfire 4.8.1 and REST API 1.10.2 and the Openfire system property adminConsole.access.allow-wildcards-in-excludes set to true I works for some time but after one day or more the login page redirect is happening on every REST API request.

After restarting the plugin it works again :

2024.03.15 10:59:53.573 INFO  [PluginMonitorTask-2]: org.jivesoftware.openfire.container.PluginManager - Successfully unloaded plugin 'restapi'.
2024.03.15 10:59:54.472 INFO  [PluginMonitorExec-2]: org.jivesoftware.openfire.container.PluginManager - Successfully loaded plugin 'restapi-1.10.2'.
2024.03.15 10:59:54.474 INFO  [PluginMonitorTask-2]: org.jivesoftware.openfire.container.PluginMonitor - Finished processing all plugins.
2024.03.15 11:00:09.102 INFO  [Jetty-QTP-AdminConsole-12007]: org.jivesoftware.openfire.plugin.rest.controller.UserServiceController - Create a new user: xxxx

[guusdk]

The stack traces reported in the original comment do not occur any longer with REST API 1.11.0 and Openfire 4.9.0-SNAPSHOT. This suggests that the problem has been fixed.

[devsead]

The stack traces reported in the original comment do not occur any longer with REST API 1.11.0 and Openfire 4.9.0-SNAPSHOT. This suggests that the problem has been fixed.

@guusdk Thanks for your comment is Openfire 4.9.0-SNAPSHOT version available to download ?

[guusdk]

Yes, you can download these from the 'nightly builds' section of our website: https://www.igniterealtime.org/downloads/nightly_openfire.jsp