Help

Alfresco 7.X found vulnerability

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ttoine
Community Manager
Community Manager
‎1 Aug 2023 2:57 PM

Re: Alfresco 7.X found vulnerability

Hello, you are right, some content has not been updated yet, and I will notify our web team.

That said, most people are currently using the Docker tutorial to start with ACS, and it will download the last version, the 7.4.

0 Kudos
jleman
Member II
‎19 Sep 2023 3:39 PM

Re: Alfresco 7.X found vulnerability

Hello @ttoine 

While the public Alfresco Community Download Page still send the users to the 7.3 version, we have updated our instances to 7.4 and our security monitoring still reports some important CVEs

__________________________________

CVECVE-2023-20860

Publication Date : 27.03.2023

CVSS 3.x Score : 7.5 HIGH

Tenable Output

 

  Path              : /var/lib/tomcats/alfresco/webapps/share/WEB-INF/lib/spring-core-5.3.23.jar
  Installed version : 5.3.23
  Fixed version     : 5.3.26

__________________________________

CVECVE-2023-20861

Publication Date : 23.03.2023

CVSS 3.x Score : 6.5 MEDIUM

Tenable Output

  Path              : /var/lib/tomcats/alfresco/webapps/share/WEB-INF/lib/spring-core-5.3.23.jar
  Installed version : 5.3.23
  Fixed version     : 5.3.26

__________________________________

Thank you in advance for your feedback

Best,

 

0 Kudos
angelborroy
Alfresco Employee
‎19 Sep 2023 4:03 PM

Re: Alfresco 7.X found vulnerability

Can you provide a detailed path to exploit this vulnerabilities in Alfresco Share 7.4.1.1?

You need to classify reported vulnerabilities according to the risk they represent for your system. If there is no way to exploit a vulnerability in your system, then it's not a risk.

Hyland Developer Evangelist
0 Kudos
jleman
Member II
‎20 Sep 2023 11:28 AM

Re: Alfresco 7.X found vulnerability

@angelborroy ???????

Yes you are right, if Hyland policy is to wait for a public exploit to fix an official CVE, you don't need to update the application.

For instance, this position is exactly the reason that leads to the current Storm-0558 data breach in Microsoft systems, including a huge government e-mail data leak, and opening investigations from the FBI, CSRB, Dept. of Justice, FTC & CISA.

I invite you to read the Tenable's CEO article and the Senator Ron Wyden's letter about Microsoft's negligence in fixing potential security breaches.

cc. @ttoine 

0 Kudos
angelborroy
Alfresco Employee
‎20 Sep 2023 0:02 PM

Re: Alfresco 7.X found vulnerability

Not sure if I understand you, but let me make a quick analysis on your vulnerabilities report.

https://nvd.nist.gov/vuln/detail/CVE-2023-20860

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Alfresco Share application is not using that kind of pattern. Additionally, Alfresco Share is not using Spring MVC at all.

https://nvd.nist.gov/vuln/detail/CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

You could get an external addon including this kind of attack by using https://docs.spring.io/spring-framework/reference/core/expressions/beandef.html

Understanding that you're not accepting or deploying Alfresco Share addons coming from an unknown developer or third-party, you're also safe.

 

In any case, Alfresco is updating library versions with every Alfresco release. So this will be fixed shortly. If you consider this is a high risk for your organization, you can open a Support Ticket to get that fixed as a hot fix.

What I explained to you before is not the official Hyland Policy, it was just an advice from a colleague trying to help you to solve your problem.

If you want to verify the official Hyland Policy or raise a concern related to it, please use the official Support Channel. Alfresco Hub is not intended to reply to those kind of questions.

Hyland Developer Evangelist
0 Kudos
jleman
Member II
‎20 Sep 2023 1:27 PM

Re: Alfresco 7.X found vulnerability

@angelborroy Of course if after internal analysis, you can determine to not be affected by the CVE for some reasons that is acceptable for a moment, as Apache Solr did for exemple for a similar breach in their security review page for a 9.8 CVE

solrpng.png

But you'll admit that is far different from saying "Can you provide a detailed path to exploit this vulnerabilities in Alfresco Share", which I understand as :  We will only patch it if an exploit has been released (and so, already used against Alfresco instances).

We don't consider this is a high risk, we just gather informations from our security monitoring, the official CVE database and Alfresco communication, that communication should be done when vulnerabilities from 6 months ago are still not patched.

 

image.png

Do you have some news about changing the Community Download Page ? It is some links to change and can prevent users to download an affected or unsupported version.

EDIT : Download page have been updated

0 Kudos
Alfresco Content Services Forum

Ask for and offer help to other Alfresco Content Services Users and members of the Alfresco team.

Related links:

We use cookies on this site to enhance your user experience

By using this site, you are agreeing to allow us to collect and use cookies as outlined in Alfresco’s Cookie Statement and Terms of Use (and you have a legitimate interest in Alfresco and our products, authorizing us to contact you in such methods).   If you are not ok with these terms, please do not use this website.