Hyland is not accepting vulnerability reports from Community.

So feel free to find your way to register and disclose the problem you found.

Thanks!

Hello @angelborroy,

We're talking here of multiple vulnerabilities on the latest downloadable version in the core Alfresco ACS libraries. Those vulnerabilities are identified in the NIST database for months.

One of them is identified with a 9.8 CVSS score.

Disclosing the vulnerabilities here would potentially expose million of users if that is revealed to be correct, including our customers.

We urge you to take this request seriously, open source and community softwares versions should not be a barrier to safety.

Thank you in advance.

Hello, your post title is about Alfresco 7.X, but in your post copy, you are speaking only about 7.3.

Could you please test with version 7.4 and check if this is solved already?

Hello @jleman 

Alfresco Community is patching vulnerabilities regularly.

For instance, check this comparison between 7.3 and 7.4

~ $ docker scout cves --details --only-fixed --only-severity critical \
alfresco/alfresco-content-repository-community:7.3.0
    ✓ Pulled
    ✓ Image stored for indexing
    ✓ Indexed 645 packages
    ✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities

   1C     0H     0M     0L  cxf-core 3.5.3
pkg:maven/org.apache.cxf/cxf-core@3.5.3

    ✗ CRITICAL CVE-2022-46364 [Server-Side Request Forgery (SSRF)]
      https://dso.docker.com/cve/CVE-2022-46364

      A SSRF vulnerability in parsing the href attribute of XOP:Include in
      MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows
      an attacker to perform SSRF style attacks on webservices that take at
      least one parameter of any type.


      Affected range : >=3.5.0
                     : <3.5.5
      Fixed version  : 3.5.5
      CVSS Score     : 9.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


   1C     0H     0M     0L  snakeyaml 1.32
pkg:maven/org.yaml/snakeyaml@1.32

    ✗ CRITICAL CVE-2022-1471 [Deserialization of Untrusted Data]
      https://dso.docker.com/cve/CVE-2022-1471

      SnakeYaml's Constructor() class does not restrict types which can be
      instantiated during deserialization. Deserializing yaml content
      provided by an attacker can lead to remote code execution. We recommend
      using SnakeYaml's SafeConsturctor when parsing untrusted content to
      restrict deserialization. We recommend upgrading to version 2.0 and
      beyond.


      Affected range : <=1.33
      Fixed version  : 2.0
      CVSS Score     : 9.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H



2 vulnerabilities found in 2 packages
  LOW       0
  MEDIUM    0
  HIGH      0
  CRITICAL  2

~ $ docker scout cves --details --only-fixed --only-severity critical \
alfresco/alfresco-content-repository-community:7.4.0
    ✓ Provenance obtained from attestation
    ✓ Pulled
    ✓ Image stored for indexing
    ✓ Indexed 647 packages
    ✓ No vulnerable package detected

When using Enterprise version, this security fixes are also applied as minor releases. Additionally, as customer, you can require a patch if some of the vulnerabilities is affecting your deployment. This is one of the main differences between Community and Enterprise.

Additionally, as you said, this is Open Source and Community supported. So I encourage you to apply required security patches to Alfresco Community and to share your findings with others.

@angelborroy , @ttoine 

Thank you for this way more professionnal answer

So even if this is not part of your comparaison, the vulnerability, which is CVE-2022-31692, has been resolved in ACS 7.4.1 which I downloaded in this release note. We will check the other ones.

But your community public download link still redirect to the 7.3 version which is still affected : https://www.alfresco.com/thank-you/thank-you-downloading-alfresco-community-edition

That's where the confusion comes from, also I am worried to don't find any blog post about a 9.8 vulnerability inside the ACS core.

I have the feeling that this vulnerability is fixed because you needed to update the library for this feature : 

.. and not to fix the vulnerability. Am I wrong ?

Thank you in advance for your answer, it is important tu us to know that we can rely on your security monitoring, at least for the highest issues in ACS core even in the community version.

For ourselves we will update ASAP.

Don't forget to read the release notes when a new version is available.

There is a mention when some security issues have been patched and it's important to update.

Yes, and that vulnerability is not mentionned in any 7.3 or 7.4 release note, that is actually my point.

Please read again:

https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-community-edition-7-4-release-no...

There is a section about fixed vulnerabilities.

Yes, I read again and there is no mention of CVE-2022-31692

So as I said I in my previous message : 

Anyway we will continue to monitor closely the security components to see if that happens again.

More dangerous : The official Community Download Web Page still redirect to v7.3 (I mean the 1st page in Google when you type "alfresco download community"), which is compromised by this 9.8 CVSS vulnerability, disclosed on 10/31/2022.

You really need to take actions fast, this is going political now.

Thank you in advance !

cc. @ttoine