Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Your workflows broke after upgrading Alfresco?

angelborroy
Community Manager Community Manager
Community Manager
‎06-18-2025 05:57 AM

When Hyland plugged MNT-21638, a remote-code-execution hole in the Activiti script task, the patch shipped in ACS 7.3.0 quietly changed the execution sandbox. Workflows deployed from inside the repository (via Share, Admin > Workflow Console or a simple file upload) lost direct access to Java and now throw the exception:

ScriptException ... ReferenceError: "java" is not defined

Later versions (from 7.3.1 to 23.4.x) even blocked some task-listener scripts because of a follow-on bug tracked in MNT-24913

Below is the fastest way to decide whether you’re affected and the resolution path that works for every known cause.

Am I affected?

Affected versions: 7.3 to 23.4.x

Deployment methods affected:

  • Deployed with Admin > Workflow Console
  • Dropped in Data Dictionary folder

Database flag:

SELECT category FROM act_re_deployment

returns Null/empty (it must return http://alfresco.org/workflows/fullAccess)

Why the DB check? The MNT-24913 fix simply falls back to that category flag when the Activiti execution context isn’t yet available. So if the flag is missing, your script will stay locked down even after upgrading.

The one-stop fix

Package every workflow as a class-path deployment and give it the fullAccess category.

Do not waste time poking Rhino or reverting patches, this is the only approach blessed by Engineering and it keeps you secure from the original RCE.

Here’s the minimal setup:

1. Place files on the classpath

$CATALINA_BASE/shared/classes/alfresco/extension/
├── myProcess.bpmn20.xml
└── myProcess-context.xml

2. Skeleton Spring context

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE beans PUBLIC "-//SPRING//DTD BEAN//EN"
"http://www.springframework.org/dtd/spring-beans.dtd">
<beans>
  <bean id="my.workflowBootstrap" parent="workflowDeployer">
    <property name="workflowDefinitions">
      <list>
        <props>
          <prop key="engineId">activiti</prop>
          <prop key="location">alfresco/extension/myProcess.bpmn20.xml</prop>
          <prop key="mimetype">text/xml</prop>
          <prop key="redeploy">false</prop>
        </props>
      </list>
    </property>
  </bean>
</beans>

Mounting or copying these two files into the container gives the process full Java access again.

3. Verify

SELECT category
FROM act_re_deployment
WHERE name_ = 'myProcess.bpmn20.xml';

It should return http://alfresco.org/workflows/fullAccess

If the row is missing, restart ACS; the bootstrapper sets it on startup.

Version-specific edge cases

  • Still on < 7.3 (unpatched RCE): Jump straight to 25.1 or the latest LTS
  • Working with 7.3 to 23.4.x and DB flag present but task-listener scripts fail: Apply the hot-fix for MNT-24913 (available for 23.3.5) or upgrade to ACS 25.1+ where the fallback logic is merged
  • Need a quick test: Run a dummy script task "logger.log(java.lang.System.getProperty('java.version'))". If it executes, you’re good

Take-aways for dev teams

1. Bundle BPMN + context in your build pipeline; treat workflows like code, not content.
2. Smoke-test upgrades with a script task that calls a harmless Java class, you’ll catch sandbox regressions instantly.
3. Monitor "act_re_deployment.category", a missing flag means someone bypassed the standard deploy path.
4. Stay current: the patch cadence is steady, and Hyland no longer back-ports most script-engine fixes beyond the current LTS.

2 Comments
Overwerkt
Confirmed Champ
Confirmed Champ
‎07-21-2025 04:16 PM
‎07-21-2025 04:16 PM

Hello Angel,

Can you point me in the right direction.  I am an Alfresco Administrator (for the application, not the server) at the state government agency I work for. I am trying to access the information you referenced in your excellent Alfresco blog:   MNT-21638, and    MNT-24913 .  Whenever I try to access this type of info, including when it's referenced in Alfresco Release Notes in various places, I get to the login page of Atlassian. It tells me I have an account, but no matter what I try, it then says I don't have access to Jira on hyland.atlassian.net.  Who do I contact to get a read only account in Atlassian so that I can look at JIRA info that is referenced in technical documentation?

It's really frustrating not to have access to this type of information.  I used to have it before Hyland acquired Alfresco. That was 5 years ago.  During this time, I tried contacting my Hyland Account Manager who just said she had no idea. I then opened a support case -- something that I have done twice. The support techs have said they couldn't help me and that they themselves don't have the access to be able to do so.

When I see information referenced and hyperlinked in a technical article or blog on a customer portal, I expect to be able to access it and read it.

I hope there is a simple solution.  I'll appreciate any direction you can provide.

-Cindy Coffin




ttoine
Community Manager Community Manager
Community Manager
‎08-04-2025 10:43 AM
‎08-04-2025 10:43 AM

Hello Cindy,

I took your answer and spoke about it inside Hyland.

To add weight on this request, could you please also write a feedback about that?
community.hyland.com/help-ticket

PM like to have direct feedback from users and customers.

0 Kudos
Copyright © 2025 Khoros, LLC