Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Alfresco Content Services & Alfresco Process Services : Information on "Spring4Shell" Spring Framework RCE vulnerability?

Go to answer
mne
Confirmed Champ
Confirmed Champ

‎04-04-2022 10:27 AM

Is Hyland able to provide any information on whether ACS, APS or any related product are impacted by the "Spring4Shell" Spring Framework RCE vulnerability?

Announcement from Spring : https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

 

Many thanks in advance for your feedback

 

Regards !

0 Kudos
2 ACCEPTED ANSWERS

Go to answer
angel-borroy
Employee
Employee

‎04-04-2022 10:34 AM

Hi, Mickael.

 

We're still evaluating detailed impact of this vulnerability.

 

Attacked libraries and versions are used in some of our products, however this is not the only condition to met.

 

We sill provide an official communication later this week, but it looks like the impact will be very low or none at all.

 

Regards

View answer in original post

0 Kudos

Go to answer
aitseitz
Confirmed Champ
Confirmed Champ

‎10-11-2022 03:45 AM

@Atol Support Team:

The official Information can be found here:

https://community.hyland.com/connect/hyland-research-and-development/security-advisories/spring-fram...

and
https://community.hyland.com/connect/hyland-research-and-development/security-advisories/spring-fram...

Alfresco Process Services (APS) is impacted from  "Spring4Shell"

--> Upgrade to at least APS version 2.3.1

 

Alfresco Content Services (ACS) is NOT impacted from "Spring4Shell" in its default configuration.

--> I fixed the security issue at the customer by upgrading the Tomcat version and can recommend to do so as well.See: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

 
With Apache Tomcat versions 10.0.20, 9.0.62 and 8.5.78, the WebappClassLoaderBase.getResources() method has been disabled. This prevents attacks via the Spring4Shell vulnerability and secures Alfresco Content Services against this exploit.
To check your installed tomcat version:
 
/content-services/tomcat/bin$ ./version.sh  | grep version
 
 
Additional hint 
In case you've modified Tomcat to use Log4j2 instead of Apache Commons Logging, for a unifom logging format, I can highly recommend to upgrade the log4j2 library > 17.2 to prevent "Log4Shell" security exploit as well!
 
Additional information to "Log4Shell" from Alfresco
 
 
best regards
 
Alex

View answer in original post

3 REPLIES 3

Go to answer
angel-borroy
Employee
Employee

‎04-04-2022 10:34 AM

Hi, Mickael.

 

We're still evaluating detailed impact of this vulnerability.

 

Attacked libraries and versions are used in some of our products, however this is not the only condition to met.

 

We sill provide an official communication later this week, but it looks like the impact will be very low or none at all.

 

Regards

0 Kudos

Go to answer
AlfSup
Confirmed Champ
Confirmed Champ

‎09-28-2022 04:35 AM

Hi Angel,

 

Do you have any recommendations/updates concerning this issue ?

 

Best regards,

 

 

Marie Magnier.

 

 

0 Kudos

Go to answer
aitseitz
Confirmed Champ
Confirmed Champ

‎10-11-2022 03:45 AM

@Atol Support Team:

The official Information can be found here:

https://community.hyland.com/connect/hyland-research-and-development/security-advisories/spring-fram...

and
https://community.hyland.com/connect/hyland-research-and-development/security-advisories/spring-fram...

Alfresco Process Services (APS) is impacted from  "Spring4Shell"

--> Upgrade to at least APS version 2.3.1

 

Alfresco Content Services (ACS) is NOT impacted from "Spring4Shell" in its default configuration.

--> I fixed the security issue at the customer by upgrading the Tomcat version and can recommend to do so as well.See: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

 
With Apache Tomcat versions 10.0.20, 9.0.62 and 8.5.78, the WebappClassLoaderBase.getResources() method has been disabled. This prevents attacks via the Spring4Shell vulnerability and secures Alfresco Content Services against this exploit.
To check your installed tomcat version:
 
/content-services/tomcat/bin$ ./version.sh  | grep version
 
 
Additional hint 
In case you've modified Tomcat to use Log4j2 instead of Apache Commons Logging, for a unifom logging format, I can highly recommend to upgrade the log4j2 library > 17.2 to prevent "Log4Shell" security exploit as well!
 
Additional information to "Log4Shell" from Alfresco
 
 
best regards
 
Alex
Getting started

Explore our Alfresco products with the links below. Use labels to filter content by product module.

Copyright © 2025 Khoros, LLC