Hyland Connect

Ken_Piper · ‎09-15-2020

HI all - we have received 6 Security Vulnerability Reports via the FullDisclosure Vulnerability mailing list. These include:

DLL Hijacking
Path Traversal
Unity Client Malformed Image Denial Of Service
Hardcoded PKI Certificates And AES Key Material
Log Injection And Denial Of Service
Insufficient Authorization

I have reached out to support to identify any steps can we take to evaluate the severity of these vulnerabilities in our environment, and mitigate them, but has anyone here on community also looked at these reported vulnerabilities and have any further information?

Thank you,

Ken Piper

Nick_McElheny · ‎02-11-2021

Has anyone heard any official updates from Hyland since the mid-December blog post? The latest blog entry from the link above mentions these security issues being addressed and made generally available as a new EP3 build in early January, but there's been no updates since. We're running 20.3.16 currently. The posted build as of today is 20.3.19 (with 20.3.20 listed, but not yet posted), however the delta report release notes only show a single fix to the Hyland IdP performance between our current build and the posted one. I'm unsure if the newer build that's posted out there now contains any relevant security fixes and would be worth upgrading to. We're wanting to wait for a generally made build to be available and avoid anything in preview as we've ran in to so many issues with every upgrade, but I'm unclear of the timeline on this one.

Thanks,

Nick

EDIT - Thanks for posting the update with the new timeline.

Hyland Connect

Adaptive Security Vulnerabilities from fulldisclosure sec mailing list?