https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419480#M39342 <P>Hi, Mickael.</P><P>&nbsp;</P><P>We're still evaluating detailed impact of this vulnerability.</P><P>&nbsp;</P><P>Attacked libraries and versions are used in some of our products, however this is not the only condition to met.</P><P>&nbsp;</P><P>We sill provide an official communication later this week, but it looks like the impact will be very low or none at all.</P><P>&nbsp;</P><P>Regards</P> Mon, 04 Apr 2022 14:34:21 GMT angel-borroy 2022-04-04T14:34:21Z https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419479#M39341 <P>Is Hyland able to provide any information on whether ACS, APS or any related product are impacted by the "Spring4Shell" Spring Framework RCE vulnerability?<BR /><BR />Announcement from Spring : <A href="https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement" target="_self">https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</A> </P><P>&nbsp;</P><P>Many thanks in advance for your feedback</P><P>&nbsp;</P><P>Regards !</P> Mon, 04 Apr 2022 14:27:00 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419479#M39341 mne 2022-04-04T14:27:00Z https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419480#M39342 <P>Hi, Mickael.</P><P>&nbsp;</P><P>We're still evaluating detailed impact of this vulnerability.</P><P>&nbsp;</P><P>Attacked libraries and versions are used in some of our products, however this is not the only condition to met.</P><P>&nbsp;</P><P>We sill provide an official communication later this week, but it looks like the impact will be very low or none at all.</P><P>&nbsp;</P><P>Regards</P> Mon, 04 Apr 2022 14:34:21 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419480#M39342 angel-borroy 2022-04-04T14:34:21Z https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419481#M39343 <P>Hi Angel,</P><P>&nbsp;</P><P>Do you have any recommendations/updates concerning this issue ?</P><P>&nbsp;</P><P>Best regards,</P><P>&nbsp;</P><P>&nbsp;</P><P>Marie Magnier.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 28 Sep 2022 08:35:29 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419481#M39343 AlfSup 2022-09-28T08:35:29Z https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419482#M39344 <P>@Atol Support Team:<BR /><BR />The official Information can be found here:</P> <P><A id="LPlnk288395" href="https://community.hyland.com/connect/hyland-research-and-development/security-advisories/spring-framework-remote-code-execution/products--systems/not-impacted" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable" data-safelink="true" data-linkindex="0" data-ogsc=""></A><BR /><STRONG>Alfresco Process Services (APS) is impacted from&nbsp; "Spring4Shell"</STRONG></P> <P>--&gt; Upgrade to at least APS version 2.3.1</P> <P>&nbsp;</P> <P><STRONG>Alfresco Content Services (ACS) is NOT impacted from "Spring4Shell" in its default configuration.</STRONG></P> <P>--&gt; I fixed the security issue at the customer by upgrading the Tomcat version and can recommend to do so as well.<BR aria-hidden="true" />See:&nbsp;<A id="LPlnk690883" href="https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement" target="_blank" rel="noopener noreferrer" data-auth="NotApplicable" data-safelink="true" data-linkindex="1" data-ogsc="">https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement</A></P> <DIV data-ogsc="black" data-ogsb="white"> <DIV>&nbsp;</DIV> With Apache Tomcat versions 10.0.20, 9.0.62 and 8.5.78, the WebappClassLoaderBase.getResources() method has been disabled. This prevents attacks via the Spring4Shell vulnerability and secures Alfresco Content Services against this exploit.</DIV> <DIV data-ogsc="black" data-ogsb="white"> <P aria-hidden="true" data-ogsc="rgb(26, 26, 26)" data-ogsb="white">&nbsp;</P> <P data-ogsc="rgb(26, 26, 26)" data-ogsb="white">More information:<BR aria-hidden="true" /><A href="https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(market)&nbsp;" target="test_blank">https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(market)&nbsp;</A>;<BR aria-hidden="true" /><A href="https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm)&nbsp;" target="test_blank">https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm)&nbsp;</A>;<BR aria-hidden="true" /><A href="https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(market)" target="test_blank">https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(market)</A></P> </DIV> <DIV data-ogsc="black" data-ogsb="white">To check your installed tomcat version:</DIV> <DIV data-ogsc="black" data-ogsb="white">&nbsp;</DIV> <DIV data-ogsc="black" data-ogsb="white"><CODE>/content-services/tomcat/bin$ ./version.sh &nbsp;| grep version</CODE></DIV> <DIV data-ogsc="black" data-ogsb="white">&nbsp;</DIV> <DIV data-ogsc="black" data-ogsb="white">&nbsp;</DIV> <DIV data-ogsc="black" data-ogsb="white"><STRONG>Additional hint&nbsp;</STRONG></DIV> <DIV data-ogsc="black" data-ogsb="white">In case you've modified Tomcat to use Log4j2 instead of Apache Commons Logging, for a unifom logging format, I can highly recommend to upgrade the log4j2 library &gt; 17.2 to prevent "<STRONG>Log4Shell</STRONG>" security exploit as well!</DIV> <DIV data-ogsc="black" data-ogsb="white">&nbsp;</DIV> <DIV data-ogsc="black" data-ogsb="white">Additional information to "Log4Shell" from Alfresco</DIV> <DIV data-ogsc="black" data-ogsb="white"><A href="https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-security-advisory/ba-p/310717" target="_self">https://hub.alfresco.com/t5/alfresco-content-services-blog/cve-2021-44228-related-to-apache-log4j-security-advisory/ba-p/310717</A></DIV> <DIV data-ogsc="black" data-ogsb="white">&nbsp;</DIV> <DIV data-ogsc="black" data-ogsb="white">&nbsp;</DIV> <DIV data-ogsc="black" data-ogsb="white">best regards</DIV> <DIV data-ogsc="black" data-ogsb="white">&nbsp;</DIV> <DIV data-ogsc="black" data-ogsb="white">Alex</DIV> Fri, 11 Apr 2025 21:56:44 GMT https://connect.hyland.com/t5/alfresco-forum/alfresco-content-services-alfresco-process-services-information/m-p/419482#M39344 aitseitz 2025-04-11T21:56:44Z