topic Re: Alfresco 7.X found vulnerability in Alfresco Forum

Alfresco 7.X found vulnerability

CEO-Vision — Thu, 22 Jun 2023 09:24:36 GMT

Hi,

We have found a vulnerability in the Community - 7.3.0 version of Alfresco.
No information about this is available on the Internet... How can we contact you to provide the information?

Thanks a lot!

Re: Alfresco 7.X found vulnerability

angelborroy — Thu, 22 Jun 2023 11:59:26 GMT

Hyland is not accepting vulnerability reports from Community.

So feel free to find your way to register and disclose the problem you found.

Thanks!

Re: Alfresco 7.X found vulnerability

jleman — Thu, 22 Jun 2023 12:54:01 GMT

Hello @angelborroy,

We're talking here of multiple vulnerabilities on the latest downloadable version in the core Alfresco ACS libraries. Those vulnerabilities are identified in the NIST database for months.

One of them is identified with a 9.8 CVSS score.

Disclosing the vulnerabilities here would potentially expose million of users if that is revealed to be correct, including our customers.

We urge you to take this request seriously, open source and community softwares versions should not be a barrier to safety.

Thank you in advance.

Re: Alfresco 7.X found vulnerability

ttoine — Thu, 22 Jun 2023 13:12:04 GMT

Hello, your post title is about Alfresco 7.X, but in your post copy, you are speaking only about 7.3.

Could you please test with version 7.4 and check if this is solved already?

Re: Alfresco 7.X found vulnerability

angelborroy — Thu, 22 Jun 2023 13:29:18 GMT

Hello @jleman

Alfresco Community is patching vulnerabilities regularly.

For instance, check this comparison between 7.3 and 7.4

~ $ docker scout cves --details --only-fixed --only-severity critical \
alfresco/alfresco-content-repository-community:7.3.0
    ✓ Pulled
    ✓ Image stored for indexing
    ✓ Indexed 645 packages
    ✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities

   1C     0H     0M     0L  cxf-core 3.5.3
pkg:maven/org.apache.cxf/cxf-core@3.5.3

    ✗ CRITICAL CVE-2022-46364 [Server-Side Request Forgery (SSRF)]
      https://dso.docker.com/cve/CVE-2022-46364

      A SSRF vulnerability in parsing the href attribute of XOP:Include in
      MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows
      an attacker to perform SSRF style attacks on webservices that take at
      least one parameter of any type.


      Affected range : >=3.5.0
                     : <3.5.5
      Fixed version  : 3.5.5
      CVSS Score     : 9.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H


   1C     0H     0M     0L  snakeyaml 1.32
pkg:maven/org.yaml/snakeyaml@1.32

    ✗ CRITICAL CVE-2022-1471 [Deserialization of Untrusted Data]
      https://dso.docker.com/cve/CVE-2022-1471

      SnakeYaml's Constructor() class does not restrict types which can be
      instantiated during deserialization. Deserializing yaml content
      provided by an attacker can lead to remote code execution. We recommend
      using SnakeYaml's SafeConsturctor when parsing untrusted content to
      restrict deserialization. We recommend upgrading to version 2.0 and
      beyond.


      Affected range : <=1.33
      Fixed version  : 2.0
      CVSS Score     : 9.8
      CVSS Vector    : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H



2 vulnerabilities found in 2 packages
  LOW       0
  MEDIUM    0
  HIGH      0
  CRITICAL  2

~ $ docker scout cves --details --only-fixed --only-severity critical \
alfresco/alfresco-content-repository-community:7.4.0
    ✓ Provenance obtained from attestation
    ✓ Pulled
    ✓ Image stored for indexing
    ✓ Indexed 647 packages
    ✓ No vulnerable package detected

When using Enterprise version, this security fixes are also applied as minor releases. Additionally, as customer, you can require a patch if some of the vulnerabilities is affecting your deployment. This is one of the main differences between Community and Enterprise.

Additionally, as you said, this is Open Source and Community supported. So I encourage you to apply required security patches to Alfresco Community and to share your findings with others.

Re: Alfresco 7.X found vulnerability

jleman — Thu, 22 Jun 2023 13:50:34 GMT

@angelborroy , @ttoine

Thank you for this way more professionnal answer

So even if this is not part of your comparaison, the vulnerability, which is CVE-2022-31692, has been resolved in ACS 7.4.1 which I downloaded in this release note. We will check the other ones.

But your community public download link still redirect to the 7.3 version which is still affected : https://www.alfresco.com/thank-you/thank-you-downloading-alfresco-community-edition

That's where the confusion comes from, also I am worried to don't find any blog post about a 9.8 vulnerability inside the ACS core.

I have the feeling that this vulnerability is fixed because you needed to update the library for this feature :

.. and not to fix the vulnerability. Am I wrong ?

Thank you in advance for your answer, it is important tu us to know that we can rely on your security monitoring, at least for the highest issues in ACS core even in the community version.

For ourselves we will update ASAP.

Re: Alfresco 7.X found vulnerability

ttoine — Thu, 22 Jun 2023 15:01:25 GMT

Don't forget to read the release notes when a new version is available.

There is a mention when some security issues have been patched and it's important to update.

Re: Alfresco 7.X found vulnerability

jleman — Thu, 22 Jun 2023 15:57:16 GMT

Yes, and that vulnerability is not mentionned in any 7.3 or 7.4 release note, that is actually my point.

Re: Alfresco 7.X found vulnerability

ttoine — Fri, 23 Jun 2023 08:42:10 GMT

Please read again:

https://hub.alfresco.com/t5/alfresco-content-services-blog/alfresco-community-edition-7-4-release-notes/ba-p/316162

There is a section about fixed vulnerabilities.

Re: Alfresco 7.X found vulnerability

jleman — Tue, 01 Aug 2023 13:11:03 GMT

Yes, I read again and there is no mention of CVE-2022-31692

So as I said I in my previous message :

Spoiler

I have the feeling that this vulnerability is fixed because you needed to update the library for this feature :

.. and not to fix the vulnerability. Am I wrong ?

I have the feeling that this vulnerability is fixed because you needed to update the library for this feature : .. and not to fix the vulnerability. Am I wrong ?

Anyway we will continue to monitor closely the security components to see if that happens again.

More dangerous : The official Community Download Web Page still redirect to v7.3 (I mean the 1st page in Google when you type "alfresco download community"), which is compromised by this 9.8 CVSS vulnerability, disclosed on 10/31/2022.

You really need to take actions fast, this is going political now.

Thank you in advance !

cc. @ttoine

Re: Alfresco 7.X found vulnerability

ttoine — Tue, 01 Aug 2023 13:57:54 GMT

Hello, you are right, some content has not been updated yet, and I will notify our web team.

That said, most people are currently using the Docker tutorial to start with ACS, and it will download the last version, the 7.4.

Re: Alfresco 7.X found vulnerability

jleman — Tue, 19 Sep 2023 14:39:46 GMT

Hello @ttoine

While the public Alfresco Community Download Page still send the users to the 7.3 version, we have updated our instances to 7.4 and our security monitoring still reports some important CVEs

__________________________________

CVE : CVE-2023-20860

Publication Date : 27.03.2023

CVSS 3.x Score : 7.5 HIGH

Tenable Output :

  Path              : /var/lib/tomcats/alfresco/webapps/share/WEB-INF/lib/spring-core-5.3.23.jar
  Installed version : 5.3.23
  Fixed version     : 5.3.26

__________________________________

CVE : CVE-2023-20861

Publication Date : 23.03.2023

CVSS 3.x Score : 6.5 MEDIUM

Tenable Output :

  Path              : /var/lib/tomcats/alfresco/webapps/share/WEB-INF/lib/spring-core-5.3.23.jar
  Installed version : 5.3.23
  Fixed version     : 5.3.26

__________________________________

Thank you in advance for your feedback

Best,

Re: Alfresco 7.X found vulnerability

angelborroy — Tue, 19 Sep 2023 15:03:55 GMT

Can you provide a detailed path to exploit this vulnerabilities in Alfresco Share 7.4.1.1?

You need to classify reported vulnerabilities according to the risk they represent for your system. If there is no way to exploit a vulnerability in your system, then it's not a risk.

Re: Alfresco 7.X found vulnerability

jleman — Wed, 20 Sep 2023 10:28:42 GMT

@angelborroy ???????

Yes you are right, if Hyland policy is to wait for a public exploit to fix an official CVE, you don't need to update the application.

For instance, this position is exactly the reason that leads to the current Storm-0558 data breach in Microsoft systems, including a huge government e-mail data leak, and opening investigations from the FBI, CSRB, Dept. of Justice, FTC & CISA.

I invite you to read the Tenable's CEO article and the Senator Ron Wyden's letter about Microsoft's negligence in fixing potential security breaches.

cc. @ttoine

Re: Alfresco 7.X found vulnerability

angelborroy — Wed, 20 Sep 2023 11:02:56 GMT

Not sure if I understand you, but let me make a quick analysis on your vulnerabilities report.

https://nvd.nist.gov/vuln/detail/CVE-2023-20860

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Alfresco Share application is not using that kind of pattern. Additionally, Alfresco Share is not using Spring MVC at all.

https://nvd.nist.gov/vuln/detail/CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

You could get an external addon including this kind of attack by using https://docs.spring.io/spring-framework/reference/core/expressions/beandef.html

Understanding that you're not accepting or deploying Alfresco Share addons coming from an unknown developer or third-party, you're also safe.

In any case, Alfresco is updating library versions with every Alfresco release. So this will be fixed shortly. If you consider this is a high risk for your organization, you can open a Support Ticket to get that fixed as a hot fix.

What I explained to you before is not the official Hyland Policy, it was just an advice from a colleague trying to help you to solve your problem.

If you want to verify the official Hyland Policy or raise a concern related to it, please use the official Support Channel. Alfresco Hub is not intended to reply to those kind of questions.

Re: Alfresco 7.X found vulnerability

jleman — Wed, 20 Sep 2023 12:27:01 GMT

@angelborroy Of course if after internal analysis, you can determine to not be affected by the CVE for some reasons that is acceptable for a moment, as Apache Solr did for exemple for a similar breach in their security review page for a 9.8 CVE :

But you'll admit that is far different from saying "Can you provide a detailed path to exploit this vulnerabilities in Alfresco Share", which I understand as : We will only patch it if an exploit has been released (and so, already used against Alfresco instances).

We don't consider this is a high risk, we just gather informations from our security monitoring, the official CVE database and Alfresco communication, that communication should be done when vulnerabilities from 6 months ago are still not patched.

Do you have some news about changing the Community Download Page ? It is some links to change and can prevent users to download an affected or unsupported version.

EDIT : Download page have been updated