09-15-2020 12:55 PM
HI all - we have received 6 Security Vulnerability Reports via the FullDisclosure Vulnerability mailing list. These include:
DLL Hijacking
Path Traversal
Unity Client Malformed Image Denial Of Service
Hardcoded PKI Certificates And AES Key Material
Log Injection And Denial Of Service
Insufficient Authorization
I have reached out to support to identify any steps can we take to evaluate the severity of these vulnerabilities in our environment, and mitigate them, but has anyone here on community also looked at these reported vulnerabilities and have any further information?
Thank you,
Ken Piper
09-24-2020 05:31 AM
Thank you for sharing this information.
09-25-2020 11:12 AM
Just stumbled upon this thread. I assume these are the claims of vulnerability being referred to in the blog post:
https://packetstormsecurity.com/files/author/15117/
09-28-2020 06:07 PM
Our security team notified me today of this vulnerability. We have spent the day investigating our risk to determine mitigation and we are on high watch to any additional threats as a result of this. Leadership in our organization has this in plain view and would like to know more about the rebutted allegations and how Hyland will actually respond. From their perspective the current responses are stock for this type of situation and they are looking for more confirmation to purposeful action that is being taken.
There are additional matters of discussion that are better suited off line for our particular situation. I would ask that you or a senior member of your technology team reach out to me at sherid@stcu.org to coordinate a call.
We do appreciate the attention and care that Hyland gives to ensure the security of their customers and those that they serve. With that, Hyland can appreciate all of our concerns with this matter and the impact to our deployed solutions. I look forward to a prompt reach out.
Best,
Sheri D.
09-29-2020 07:21 AM
Thank you for your post, Sam. Yes, our internal review is still in progress, and we have a third-party currently conducting a penetration test on these items. We will communicate updates via our standard security bulletin processes disseminated to customer contacts as we learn more. Please follow the R&D Blog here for additional updates: https://community.hyland.com/blog/posts/75935-recent-posts-regarding-alleged-onbase-vulnerabilities
10-02-2020 02:33 PM
Hi Sheri,
I appreciate you reaching out here on Community and I'm glad we got to have a conversation with you and your team today. I had a number of great conversations all week with customers and talking with your team was a nice close to my week.
Have a great weekend!
--sam
Find what you came for
We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.