Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco vulnerability - how to fix the problem ?

benjamindupont
Champ in-the-making
Champ in-the-making

‎01-15-2016 04:09 AM

Hi,
I'm currently using Alfresco CE 4.2.f, and I saw there is avulnerability on this version :
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9300
http://seclists.org/bugtraq/2014/Jul/72
My data are sensitive, and I want to prevent a disclosure, do you have an idea to fix or avoid this problem ?

According to this article, the proxy servlet is concerned by this vulnerability. Is it possible to disable this function ? If yes, do you know how ? If not, what can you advise ?

For information, moving to the last Alfresco 5.0 version is not option.

Thanks!

Best regards
Labels:
0 Kudos
11 REPLIES 11

afaust
Legendary Innovator
Legendary Innovator

‎01-18-2016 04:41 AM

Hello,

there is no official support for any Alfresco Community Edition release. There also won't usually be any security releases for a Community Edition release if a newer version is already available, and even without a newer version it is solely at the discretion of Alfresco. If moving to Alfresco 5.0 is not an option, then you can either try to merge any related fixes from 5.0 to your 4.2.f yourself, contact a 3rd party service provider that provides fixes / patches for Community Edition (i.e. Loftux) or switch to a paid Alfresco Enterprise subscription (Alfresco has provided hot-fix versions for such security vulnerabilities).

The proxy servlet can technically be disabled, but if you were to do this, than the entire Share web application will no longer work, so this is not an option from a "usability" point of view.

Regards
Axel
0 Kudos

benjamindupont
Champ in-the-making
Champ in-the-making

‎01-19-2016 03:18 AM

Hello,
Thanks for your reply Axel about the solutions. And for my information, could you explain how is it possible to disable the proxy servlet ?
Regards
Ben
0 Kudos

benjamindupont
Champ in-the-making
Champ in-the-making

‎01-19-2016 04:59 AM

By the way, to avoid the CMIS vulnerability (SSRF Proof of concept 2), do you know if there is a way to disable the CMIS access ? I can't find anything on this subject…
Thanks.
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎01-19-2016 04:59 AM

Hello,

to disable the proxy controller you'd need to create a custom-slingshot-application-context.xml in /web-e extension/ directory and in that file override the webframeworkHandlerMappings bean to not include a mapping for /proxy/** (see this <a href="https://github.com/Alfresco/share/blob/bd807c91971c9ccdb196dbe09171c231d286fb29/share/src/main/resou...">default config</a> for reference). Again, I advise against it since Share will stop working correctly / at all if you do disable it.

Regards
Axel
0 Kudos

benjamindupont
Champ in-the-making
Champ in-the-making
In response to afaust

‎01-19-2016 05:05 AM

Thanks again for your quick response and advises Axel.

I have a last question, to avoid the CMIS vulnerability (SSRF Proof of concept 2), do you know if there is a way to disable the CMIS access ? I can't find anything on this subject…

Best regards
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎01-19-2016 05:08 AM

For the CMIS vulnerability you'd need to provide a modified web.xml in the /webapps/alfresco/WEB-INF directory which comments out / removes the /cmisbrowser servlet mapping. Note that there may be multiple mappings - one with CMISFileShareServlet and one called cmisbrowser. As far as I understand, the CMISFileShareServlet is the one affected by the advisory, not the cmisbrowser one. If you disable cmisbrowser you close up the only interface to use CMIS 1.1 with Alfresco 4.2
I don't know why CMISFileShareServlet was ever included - I could not see a valid use case for it in production systems.
0 Kudos

benjamindupont
Champ in-the-making
Champ in-the-making

‎01-19-2016 05:56 AM

I directly modify the /tomcat/webapps/alfresco/WEB-INF/web.xml by comments out the servlet and servlet mapping for cmisbrowser or CMISFileShareServlet and both of them. After rebooting Alfresco, it seems there isn't any change (I currently test with a CMIS sync tool)…
Did I miss something ?
0 Kudos

afaust
Legendary Innovator
Legendary Innovator

‎01-19-2016 11:36 AM

It depends on which CMIS protocol variant the CMIS sync tool is using. For normal Alfresco and Share there shouldn't be any noticable change, only for CMIS clients that used the CMIS browser binding. If CMIS sync tool is capable of falling back to AtomPub or even SOAP, then the change would be transparent…
0 Kudos

yannickb
Champ in-the-making
Champ in-the-making
In response to afaust

‎01-22-2016 05:20 AM

Hello Alex and thanks for your answers regarding these issues.
I have to setup an alfresco server directly on a webserver, it will not be part of an intranet. In that case it seems to me the proxy vulnerability does not concern me, since there would not be any other servers or services to discover behind the alfesco server, is is exact ?
Thanks in advance for your answer.
Yannick
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC