06-22-2023 05:24 AM
Hi,
We have found a vulnerability in the Community - 7.3.0 version of Alfresco.
No information about this is available on the Internet... How can we contact you to provide the information?
Thanks a lot!
06-22-2023 07:59 AM
Hyland is not accepting vulnerability reports from Community.
So feel free to find your way to register and disclose the problem you found.
Thanks!
06-22-2023 08:54 AM
Hello @angelborroy,
We're talking here of multiple vulnerabilities on the latest downloadable version in the core Alfresco ACS libraries. Those vulnerabilities are identified in the NIST database for months.
One of them is identified with a 9.8 CVSS score.
Disclosing the vulnerabilities here would potentially expose million of users if that is revealed to be correct, including our customers.
We urge you to take this request seriously, open source and community softwares versions should not be a barrier to safety.
Thank you in advance.
06-22-2023 09:12 AM
Hello, your post title is about Alfresco 7.X, but in your post copy, you are speaking only about 7.3.
Could you please test with version 7.4 and check if this is solved already?
06-22-2023 09:29 AM
Hello @jleman
Alfresco Community is patching vulnerabilities regularly.
For instance, check this comparison between 7.3 and 7.4
~ $ docker scout cves --details --only-fixed --only-severity critical \
alfresco/alfresco-content-repository-community:7.3.0 ✓ Pulled ✓ Image stored for indexing ✓ Indexed 645 packages ✗ Detected 2 vulnerable packages with a total of 2 vulnerabilities 1C 0H 0M 0L cxf-core 3.5.3 pkg:maven/org.apache.cxf/cxf-core@3.5.3 ✗ CRITICAL CVE-2022-46364 [Server-Side Request Forgery (SSRF)] https://dso.docker.com/cve/CVE-2022-46364 A SSRF vulnerability in parsing the href attribute of XOP:Include in MTOM requests in versions of Apache CXF before 3.5.5 and 3.4.10 allows an attacker to perform SSRF style attacks on webservices that take at least one parameter of any type. Affected range : >=3.5.0 : <3.5.5 Fixed version : 3.5.5 CVSS Score : 9.8 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 1C 0H 0M 0L snakeyaml 1.32 pkg:maven/org.yaml/snakeyaml@1.32 ✗ CRITICAL CVE-2022-1471 [Deserialization of Untrusted Data] https://dso.docker.com/cve/CVE-2022-1471 SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond. Affected range : <=1.33 Fixed version : 2.0 CVSS Score : 9.8 CVSS Vector : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 2 vulnerabilities found in 2 packages LOW 0 MEDIUM 0 HIGH 0 CRITICAL 2 ~ $ docker scout cves --details --only-fixed --only-severity critical \
alfresco/alfresco-content-repository-community:7.4.0 ✓ Provenance obtained from attestation ✓ Pulled ✓ Image stored for indexing ✓ Indexed 647 packages ✓ No vulnerable package detected
When using Enterprise version, this security fixes are also applied as minor releases. Additionally, as customer, you can require a patch if some of the vulnerabilities is affecting your deployment. This is one of the main differences between Community and Enterprise.
Additionally, as you said, this is Open Source and Community supported. So I encourage you to apply required security patches to Alfresco Community and to share your findings with others.
06-22-2023 09:50 AM
Thank you for this way more professionnal answer
So even if this is not part of your comparaison, the vulnerability, which is CVE-2022-31692, has been resolved in ACS 7.4.1 which I downloaded in this release note. We will check the other ones.
But your community public download link still redirect to the 7.3 version which is still affected : https://www.alfresco.com/thank-you/thank-you-downloading-alfresco-community-edition
That's where the confusion comes from, also I am worried to don't find any blog post about a 9.8 vulnerability inside the ACS core.
I have the feeling that this vulnerability is fixed because you needed to update the library for this feature :
.. and not to fix the vulnerability. Am I wrong ?
Thank you in advance for your answer, it is important tu us to know that we can rely on your security monitoring, at least for the highest issues in ACS core even in the community version.
For ourselves we will update ASAP.
06-22-2023 11:01 AM
Don't forget to read the release notes when a new version is available.
There is a mention when some security issues have been patched and it's important to update.
06-22-2023 11:57 AM
Yes, and that vulnerability is not mentionned in any 7.3 or 7.4 release note, that is actually my point.
06-23-2023 04:42 AM
Please read again:
There is a section about fixed vulnerabilities.
08-01-2023 09:11 AM
Yes, I read again and there is no mention of CVE-2022-31692
So as I said I in my previous message :
I have the feeling that this vulnerability is fixed because you needed to update the library for this feature :
.. and not to fix the vulnerability. Am I wrong ?
Anyway we will continue to monitor closely the security components to see if that happens again.
More dangerous : The official Community Download Web Page still redirect to v7.3 (I mean the 1st page in Google when you type "alfresco download community"), which is compromised by this 9.8 CVSS vulnerability, disclosed on 10/31/2022.
You really need to take actions fast, this is going political now.
Thank you in advance !
cc. @ttoine
Explore our Alfresco products with the links below. Use labels to filter content by product module.