topic Important security alert in Alfresco Archive https://connect.hyland.com/t5/alfresco-archive/important-security-alert/m-p/263699#M216829 <HTML><HEAD></HEAD><BODY><SPAN>Included in Alfresco 4.0.1 Enterprise is a fix for two critical security issues. The two issues are:</SPAN><BR /><UL><LI>SOLR REST API allows unauthenticated access to repository contents (<A href="https://issues.alfresco.com/jira/browse/ALF-13721" rel="nofollow noopener noreferrer">ALF-13721</A>) (Affects 4.0)</LI><BR /><LI>Remote code execution possible via Web Script XSLT Processor (<A href="https://issues.alfresco.com/jira/browse/ALF-13726" rel="nofollow noopener noreferrer">ALF-13726</A>) (Affects all versions)</LI></UL><SPAN>If you are an Enterprise Edition user, you have already been notified of these issues and what to do to address them. Both issues are fixed in 4.0.1. There is a hotfix available for 4.0.</SPAN><BR /><BR /><SPAN>If you are an Enterprise Edition user on 3.4, the XSLT fix will be in 3.4.9. A hotfix is available for 3.4.8.</SPAN><BR /><BR /><SPAN>For Community Edition users, you'll see the fix in the next Community drop. Until then, here is some additional information in case you need to address the issues.</SPAN><BR /><BR /><STRONG>SOLR REST API allows unauthenticated access to repository contents</STRONG><BR /><BR /><SPAN>An omission has been discovered that meant that HTTP access to repository APIs under the paths /alfresco/s/api/solr, /alfresco/wcservice/api/solr and /alfresco/wcs/api/solr were not protected by SOLR’s SSL certificate and could potentially be used by an unauthenticated user to retrieve information from the repository. </SPAN><EM>This issue affects you whether or not you have configured and installed SOLR for search.</EM><BR /><BR /><SPAN>The issue is easily addressed by adding some XML to your web.xml. If you take a look at the web.xml file, you'll see a security-constraint element that matches on the "/service/api/solr" pattern. The issue is that the web script is accessible via several other patterns not covered by existing security constraints.</SPAN><BR /><PRE class="language-none line-numbers"><CODE>&lt;security-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;web-resource-collection&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;web-resource-name&gt;SOLR&lt;/web-resource-name&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;url-pattern&gt;/service/api/solr/*&lt;/url-pattern&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/web-resource-collection&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;auth-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;role-name&gt;repoclient&lt;/role-name&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/auth-constraint&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;user-data-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/user-data-constraint&gt;<BR />&nbsp;&nbsp; &lt;/security-constraint&gt;<SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><SPAN>You can plug the hole yourself by adding the following additional security constraints:</SPAN><BR /><PRE class="language-none line-numbers"><CODE>&lt;security-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;web-resource-collection&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;web-resource-name&gt;SOLR&lt;/web-resource-name&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;url-pattern&gt;/s/api/solr/*&lt;/url-pattern&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/web-resource-collection&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;auth-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;role-name&gt;repoclient&lt;/role-name&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/auth-constraint&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;user-data-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/user-data-constraint&gt;<BR />&nbsp;&nbsp; &lt;/security-constraint&gt;<BR /><BR />&nbsp;&nbsp; &lt;security-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;web-resource-collection&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;web-resource-name&gt;SOLR&lt;/web-resource-name&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;url-pattern&gt;/wcservice/api/solr/*&lt;/url-pattern&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/web-resource-collection&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;auth-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;role-name&gt;repoclient&lt;/role-name&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/auth-constraint&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;user-data-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/user-data-constraint&gt;<BR />&nbsp;&nbsp; &lt;/security-constraint&gt;<BR /><BR />&nbsp;&nbsp; &lt;security-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;web-resource-collection&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;web-resource-name&gt;SOLR&lt;/web-resource-name&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;url-pattern&gt;/wcs/api/solr/*&lt;/url-pattern&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/web-resource-collection&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;auth-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;role-name&gt;repoclient&lt;/role-name&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/auth-constraint&gt;<BR /><BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;user-data-constraint&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;transport-guarantee&gt;CONFIDENTIAL&lt;/transport-guarantee&gt;<BR />&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/user-data-constraint&gt;<BR />&nbsp;&nbsp; &lt;/security-constraint&gt;<SPAN class="line-numbers-rows"><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN><SPAN>‍</SPAN></SPAN></CODE></PRE><STRONG>Remote code execution possible via Web Script XSLT Processor</STRONG><BR /><BR /><SPAN>Alfresco’s XSLT processor previously allowed XSLT templates used by web scripts and Web Forms to make use of the Apache Xalan extensions feature to call arbitrary Java methods. This could be exploited as a security hole by anyone with permissions to upload a webscript or XSLT template. We now prevent the use of any extension namespaces besides the preconfigured Alfresco 'alf' namespace.</SPAN><BR /><BR /><SPAN>With the fix in place, the Xalan extensions cannot call arbitrary methods because the only extensions allowed are Alfresco's. If you need to call your own Java code through a Xalan extension, you can still configure the XSLT processor to do that.</SPAN><BR /><BR /><SPAN>The code that implements this fix is in the Jira. This should allow you to patch the JAR if you cannot wait for the next Community Edition drop.</SPAN><BR /><BR /><SPAN>Jeff</SPAN></BODY></HTML> Thu, 26 Apr 2012 23:13:58 GMT jpotts 2012-04-26T23:13:58Z Important security alert https://connect.hyland.com/t5/alfresco-archive/important-security-alert/m-p/263699#M216829 Included in Alfresco 4.0.1 Enterprise is a fix for two critical security issues. The two issues are<IMG id="smileyfrustrated" class="emoticon emoticon-smileyfrustrated" src="https://migration33.stage.lithium.com/i/smilies/16x16_smiley-frustrated.png" alt="Smiley Frustrated" title="Smiley Frustrated" />OLR REST API allows unauthenticated access to repository contents (ALF-13721) (Affects 4.0)Remote code execution possible via Web Script XSLT Processor (ALF-13726) (Affects all versions)If you are an Thu, 26 Apr 2012 23:13:58 GMT https://connect.hyland.com/t5/alfresco-archive/important-security-alert/m-p/263699#M216829 jpotts 2012-04-26T23:13:58Z Re: Important security alert https://connect.hyland.com/t5/alfresco-archive/important-security-alert/m-p/263700#M216830 <HTML><HEAD></HEAD><BODY><SPAN>Thank you to direct attention to this issue and for providing an instant fix!</SPAN><BR /><BR /><SPAN>For the XSLT issue, it is maybe possible to disable XSLT if this functionality is not required or while the patch is being prepared:</SPAN><BR /><BR /><SPAN>For 4.0d Community Edition place a file security-fixes-context.xml into /shared/classes/alfresco/extension containing:</SPAN><BR /><BR /><SPAN>&lt;?xml version='1.0' encoding='UTF-8'?&gt;</SPAN><BR /><SPAN>&lt;!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' '</SPAN><A href="http://www.springframework.org/dtd/spring-beans.dtd" rel="nofollow noopener noreferrer">http://www.springframework.org/dtd/spring-beans.dtd</A><SPAN>'&gt;</SPAN><BR /><SPAN>&lt;beans&gt;</SPAN><BR /><SPAN>&nbsp; &lt;!– override xslt beans to disable xslt processing –&gt;</SPAN><BR /><SPAN>&nbsp; &lt;!– </SPAN><A href="https://forums.alfresco.com/en/viewtopic.php?f=2&amp;t=44384" rel="nofollow noopener noreferrer">https://forums.alfresco.com/en/viewtopic.php?f=2&amp;t=44384</A><SPAN> –&gt;</SPAN><BR /><SPAN>&nbsp; &lt;!– </SPAN><A href="https://issues.alfresco.com/jira/browse/ALF-13726" rel="nofollow noopener noreferrer">https://issues.alfresco.com/jira/browse/ALF-13726</A><SPAN> –&gt;</SPAN><BR /><SPAN>&nbsp; &lt;bean id="xsltRenderingEngine" class="java.lang.String"/&gt;</SPAN><BR /><SPAN>&nbsp; &lt;bean id="xsltFunctions" class="java.lang.String"/&gt;</SPAN><BR /><SPAN>&nbsp; &lt;bean id="xsltProcessor" class="java.lang.String"/&gt;</SPAN><BR /><SPAN>&lt;/beans&gt;</SPAN><BR /><BR /><SPAN>Regards,</SPAN><BR /><SPAN>&nbsp; lothar</SPAN></BODY></HTML> Fri, 27 Apr 2012 11:12:18 GMT https://connect.hyland.com/t5/alfresco-archive/important-security-alert/m-p/263700#M216830 lotharmärkle 2012-04-27T11:12:18Z