06-22-2023 05:24 AM
Hi,
We have found a vulnerability in the Community - 7.3.0 version of Alfresco.
No information about this is available on the Internet... How can we contact you to provide the information?
Thanks a lot!
08-01-2023 09:57 AM
Hello, you are right, some content has not been updated yet, and I will notify our web team.
That said, most people are currently using the Docker tutorial to start with ACS, and it will download the last version, the 7.4.
09-19-2023 10:39 AM
Hello @ttoine
While the public Alfresco Community Download Page still send the users to the 7.3 version, we have updated our instances to 7.4 and our security monitoring still reports some important CVEs
__________________________________
CVE : CVE-2023-20860
Publication Date : 27.03.2023
CVSS 3.x Score : 7.5 HIGH
Tenable Output :
Path : /var/lib/tomcats/alfresco/webapps/share/WEB-INF/lib/spring-core-5.3.23.jar Installed version : 5.3.23 Fixed version : 5.3.26
__________________________________
CVE : CVE-2023-20861
Publication Date : 23.03.2023
CVSS 3.x Score : 6.5 MEDIUM
Tenable Output :
Path : /var/lib/tomcats/alfresco/webapps/share/WEB-INF/lib/spring-core-5.3.23.jar Installed version : 5.3.23 Fixed version : 5.3.26
__________________________________
Thank you in advance for your feedback
Best,
09-19-2023 11:03 AM
Can you provide a detailed path to exploit this vulnerabilities in Alfresco Share 7.4.1.1?
You need to classify reported vulnerabilities according to the risk they represent for your system. If there is no way to exploit a vulnerability in your system, then it's not a risk.
09-20-2023 06:28 AM
@angelborroy ???????
Yes you are right, if Hyland policy is to wait for a public exploit to fix an official CVE, you don't need to update the application.
For instance, this position is exactly the reason that leads to the current Storm-0558 data breach in Microsoft systems, including a huge government e-mail data leak, and opening investigations from the FBI, CSRB, Dept. of Justice, FTC & CISA.
I invite you to read the Tenable's CEO article and the Senator Ron Wyden's letter about Microsoft's negligence in fixing potential security breaches.
cc. @ttoine
09-20-2023 07:02 AM
Not sure if I understand you, but let me make a quick analysis on your vulnerabilities report.
https://nvd.nist.gov/vuln/detail/CVE-2023-20860
Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.
Alfresco Share application is not using that kind of pattern. Additionally, Alfresco Share is not using Spring MVC at all.
https://nvd.nist.gov/vuln/detail/CVE-2023-20861
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
You could get an external addon including this kind of attack by using https://docs.spring.io/spring-framework/reference/core/expressions/beandef.html
Understanding that you're not accepting or deploying Alfresco Share addons coming from an unknown developer or third-party, you're also safe.
In any case, Alfresco is updating library versions with every Alfresco release. So this will be fixed shortly. If you consider this is a high risk for your organization, you can open a Support Ticket to get that fixed as a hot fix.
What I explained to you before is not the official Hyland Policy, it was just an advice from a colleague trying to help you to solve your problem.
If you want to verify the official Hyland Policy or raise a concern related to it, please use the official Support Channel. Alfresco Hub is not intended to reply to those kind of questions.
09-20-2023 08:27 AM
@angelborroy Of course if after internal analysis, you can determine to not be affected by the CVE for some reasons that is acceptable for a moment, as Apache Solr did for exemple for a similar breach in their security review page for a 9.8 CVE :
But you'll admit that is far different from saying "Can you provide a detailed path to exploit this vulnerabilities in Alfresco Share", which I understand as : We will only patch it if an exploit has been released (and so, already used against Alfresco instances).
We don't consider this is a high risk, we just gather informations from our security monitoring, the official CVE database and Alfresco communication, that communication should be done when vulnerabilities from 6 months ago are still not patched.
Do you have some news about changing the Community Download Page ? It is some links to change and can prevent users to download an affected or unsupported version.
EDIT : Download page have been updated
Explore our Alfresco products with the links below. Use labels to filter content by product module.