AnsweredAssumed Answered

PLEASE READ: Important Message Regarding Security

Question asked by nancyg on Jul 23, 2010
Latest reply on Aug 4, 2010 by heydenb
All-

Thanks to Jeff Potts at Metaversant ( http://www.metaversant.com), Alfresco has become aware of a potential security loophole where the jBPM process deployer servlet runs without authentication. This means that a valid user may deploy a workflow that grants them admin access or similar. However, this loophole does require the user to have a valid account on the system and a good technical understanding of Alfresco.

Alfresco has identified a WAR file configuration change to eliminate this potential security loophole. Alfresco strongly recommends that you complete the following instructions for any 2.1, 2.2, and 3.x system to eliminate the risk.

1. Create a backup directory and give it an appropriate name, such as <ALFRESCOBACKUP>.
2. Copy your currently deployed alfresco.war file to this backup directory.
3. Create a new empty directory and unzip your backup alfresco. war file there.
For Linux

a) mkdir ~/alfresco
b) cd ~/alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war

For Windows

a) mkdir C:\alfresco
b) cd /D C:\alfresco
c) jar xvf <ALFRESCOBACKUP>/alfresco.war

4. In this new directory (~/alfresco), edit the WEB-INF/web.xml file to comment out the following lines.
Change:

<servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping>

To:

<!–servlet-mapping>
<servlet-name>JBPMDeployProcessServlet</servlet-name>
<url-pattern>/jbpm/deployprocess</url-pattern>
</servlet-mapping–>


5. Zip this directory to create a new alfresco.war.
For Linux

a) cd ~/alfresco
b) jar cvf ../alfresco.war .

For Windows

a) cd /D C:\alfresco
b) jar cvf ..\alfresco.war .

6. Deploy the new alfresco.war using the appropriate instructions for your application server.
7. Confirm that accessing the URL http://<host:8080>/alfresco/jbpm/deployprocess returns a status 404 error.

Alfresco has applied this configuration to all hotfix branches, ensuring that all future patches and service packs include the change.

In Alfresco Version 3.3 SP3, you will be able to configure the JBPM process deployer servlet via alfresco-global.properties. Refer to the Alfresco Documentation on Network for more details post-release.

This solution has been verified against 3.3 SP1, 3.2 SP2, 2.2 SP8, and 2.1 SP7.

Outcomes