topic Re: Alfresco vulnerability - how to fix the problem ? in Alfresco Archive

Alfresco vulnerability - how to fix the problem ?

benjamindupont — Fri, 15 Jan 2016 09:09:54 GMT

Hi,I'm currently using Alfresco CE 4.2.f, and I saw there is avulnerability on this version :http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9300http://seclists.org/bugtraq/2014/Jul/72My data are sensitive, and I want to prevent a disclosure, do you have an idea to fix or avoid this probl

Re: Alfresco vulnerability - how to fix the problem ?

afaust — Mon, 18 Jan 2016 09:41:02 GMT

Hello,

there is no official support for any Alfresco Community Edition release. There also won't usually be any security releases for a Community Edition release if a newer version is already available, and even without a newer version it is solely at the discretion of Alfresco. If moving to Alfresco 5.0 is not an option, then you can either try to merge any related fixes from 5.0 to your 4.2.f yourself, contact a 3rd party service provider that provides fixes / patches for Community Edition (i.e. Loftux) or switch to a paid Alfresco Enterprise subscription (Alfresco has provided hot-fix versions for such security vulnerabilities).

The proxy servlet can technically be disabled, but if you were to do this, than the entire Share web application will no longer work, so this is not an option from a "usability" point of view.

Regards
Axel

Re: Alfresco vulnerability - how to fix the problem ?

benjamindupont — Tue, 19 Jan 2016 08:18:50 GMT

Hello,
Thanks for your reply Axel about the solutions. And for my information, could you explain how is it possible to disable the proxy servlet ?
Regards
Ben

Re: Alfresco vulnerability - how to fix the problem ?

benjamindupont — Tue, 19 Jan 2016 09:59:03 GMT

By the way, to avoid the CMIS vulnerability (SSRF Proof of concept 2), do you know if there is a way to disable the CMIS access ? I can't find anything on this subject…
Thanks.

Re: Alfresco vulnerability - how to fix the problem ?

afaust — Tue, 19 Jan 2016 09:59:42 GMT

Hello,

to disable the proxy controller you'd need to create a custom-slingshot-application-context.xml in /web-e extension/ directory and in that file override the webframeworkHandlerMappings bean to not include a mapping for /proxy/** (see this <a href="https://github.com/Alfresco/share/blob/bd807c91971c9ccdb196dbe09171c231d286fb29/share/src/main/resources/alfresco/slingshot-application-context.xml#L78">default config</a> for reference). Again, I advise against it since Share will stop working correctly / at all if you do disable it.

Regards
Axel

Re: Alfresco vulnerability - how to fix the problem ?

benjamindupont — Tue, 19 Jan 2016 10:05:36 GMT

Thanks again for your quick response and advises Axel.

I have a last question, to avoid the CMIS vulnerability (SSRF Proof of concept 2), do you know if there is a way to disable the CMIS access ? I can't find anything on this subject…

Best regards

Re: Alfresco vulnerability - how to fix the problem ?

afaust — Tue, 19 Jan 2016 10:08:25 GMT

For the CMIS vulnerability you'd need to provide a modified web.xml in the /webapps/alfresco/WEB-INF directory which comments out / removes the /cmisbrowser servlet mapping. Note that there may be multiple mappings - one with CMISFileShareServlet and one called cmisbrowser. As far as I understand, the CMISFileShareServlet is the one affected by the advisory, not the cmisbrowser one. If you disable cmisbrowser you close up the only interface to use CMIS 1.1 with Alfresco 4.2
I don't know why CMISFileShareServlet was ever included - I could not see a valid use case for it in production systems.

Re: Alfresco vulnerability - how to fix the problem ?

benjamindupont — Tue, 19 Jan 2016 10:56:22 GMT

I directly modify the /tomcat/webapps/alfresco/WEB-INF/web.xml by comments out the servlet and servlet mapping for cmisbrowser or CMISFileShareServlet and both of them. After rebooting Alfresco, it seems there isn't any change (I currently test with a CMIS sync tool)…
Did I miss something ?

Re: Alfresco vulnerability - how to fix the problem ?

afaust — Tue, 19 Jan 2016 16:36:59 GMT

It depends on which CMIS protocol variant the CMIS sync tool is using. For normal Alfresco and Share there shouldn't be any noticable change, only for CMIS clients that used the CMIS browser binding. If CMIS sync tool is capable of falling back to AtomPub or even SOAP, then the change would be transparent…

Re: Alfresco vulnerability - how to fix the problem ?

yannickb — Fri, 22 Jan 2016 10:20:50 GMT

Hello Alex and thanks for your answers regarding these issues.
I have to setup an alfresco server directly on a webserver, it will not be part of an intranet. In that case it seems to me the proxy vulnerability does not concern me, since there would not be any other servers or services to discover behind the alfesco server, is is exact ?
Thanks in advance for your answer.
Yannick

Re: Alfresco vulnerability - how to fix the problem ?

benjamindupont — Thu, 28 Jan 2016 14:03:31 GMT

Hi Axel,
Thanks for your precisions about CMIS! Could you just tell us (If you know of course!), if this threat concern only a server which is placed with others servers (intranet) or not ?
Thanks!

Re: Alfresco vulnerability - how to fix the problem ?

afaust — Thu, 28 Jan 2016 16:58:16 GMT

The threat concerns any server in a networked environment. Only if the Alfresco server in question would be prevented from making any outbound HTTP(S) connection attempts would you avoid the "network / port scan" part of the vulnerability. And technically you can't restrict the file-level access to a level where you aren't still affected by the "file scan" part of the vulnerability.