This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Adaptive Security Vulnerabilities from fulldisclosure sec mailing list?

Ken_Piper
Star Contributor
Star Contributor

‎09-15-2020 12:55 PM

HI all - we have received 6 Security Vulnerability Reports via the FullDisclosure Vulnerability mailing list. These include:

DLL Hijacking
Path Traversal
Unity Client Malformed Image Denial Of Service
Hardcoded PKI Certificates And AES Key Material
Log Injection And Denial Of Service
Insufficient Authorization

I have reached out to support to identify any steps can we take to evaluate the severity of these vulnerabilities in our environment, and mitigate them, but has anyone here on community also looked at these reported vulnerabilities and have any further information? 

Thank you,

Ken Piper

 

Labels:
10 REPLIES 10

Jerry_Lorentzen
Champ in-the-making
Champ in-the-making

‎09-24-2020 05:31 AM

Thank you for sharing this information.

0 Kudos

Sam_Walker
Confirmed Champ
Confirmed Champ

‎09-25-2020 11:12 AM

Just stumbled upon this thread. I assume these are the claims of vulnerability being referred to in the blog post:

https://packetstormsecurity.com/files/author/15117/

 

@John Phelan Can we safely assume that Hyland's security review, referred to in your blog post, is still in progress, and will be releasing patches to fix these vulnerabilities, if they are confirmed? Is this the thread we should follow to stay up to date on that process?

Sheri_Deist
Star Contributor
Star Contributor

‎09-28-2020 06:07 PM

@John Phelan 

Our security team notified me today of this vulnerability. We have spent the day investigating our risk to determine mitigation and we are on high watch to any additional threats as a result of this. Leadership in our organization has this in plain view and would like to know more about the rebutted allegations and how Hyland will actually respond. From their perspective the current responses are stock for this type of situation and they are looking for more confirmation to purposeful action that is being taken.

 

There are additional matters of discussion that are better suited off line for our particular situation. I would ask that you or a senior member of your technology team reach out to me at sherid@stcu.org to coordinate a call.

 

We do appreciate the attention and care that Hyland gives to ensure the security of their customers and those that they serve. With that, Hyland can appreciate all of our concerns with this matter and the impact to our deployed solutions. I look forward to a prompt reach out.

 

Best,

 

Sheri D.

 

 

 

John_Phelan
Confirmed Champ
Confirmed Champ

‎09-29-2020 07:21 AM

@Sam Walker 
 

Thank you for your post, Sam. Yes, our internal review is still in progress, and we have a third-party currently conducting a penetration test on these items. We will communicate updates via our standard security bulletin processes disseminated to customer contacts as we learn more. Please follow the R&D Blog here for additional updates:  https://community.hyland.com/blog/posts/75935-recent-posts-regarding-alleged-onbase-vulnerabilities

 
0 Kudos

Sam_Babic
Star Collaborator
Star Collaborator

‎10-02-2020 02:33 PM

@Sheri Deist 

 

Hi Sheri,

 

I appreciate you reaching out here on Community and I'm glad we got to have a conversation with you and your team today. I had a number of great conversations all week with customers and talking with your team was a nice close to my week.

 

Have a great weekend!

 

--sam

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC