cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco 7.X found vulnerability

CEO-Vision
Champ in-the-making
Champ in-the-making

Hi,

We have found a vulnerability in the Community - 7.3.0 version of Alfresco.
No information about this is available on the Internet... How can we contact you to provide the information?

Thanks a lot!

15 REPLIES 15

ttoine
Community Manager Community Manager
Community Manager

Hello, you are right, some content has not been updated yet, and I will notify our web team.

That said, most people are currently using the Docker tutorial to start with ACS, and it will download the last version, the 7.4.

jleman
Champ in-the-making
Champ in-the-making

Hello @ttoine 

While the public Alfresco Community Download Page still send the users to the 7.3 version, we have updated our instances to 7.4 and our security monitoring still reports some important CVEs

__________________________________

CVECVE-2023-20860

Publication Date : 27.03.2023

CVSS 3.x Score : 7.5 HIGH

Tenable Output

  Path              : /var/lib/tomcats/alfresco/webapps/share/WEB-INF/lib/spring-core-5.3.23.jar
  Installed version : 5.3.23
  Fixed version     : 5.3.26

__________________________________

CVECVE-2023-20861

Publication Date : 23.03.2023

CVSS 3.x Score : 6.5 MEDIUM

Tenable Output

  Path              : /var/lib/tomcats/alfresco/webapps/share/WEB-INF/lib/spring-core-5.3.23.jar
  Installed version : 5.3.23
  Fixed version     : 5.3.26

__________________________________

Thank you in advance for your feedback

Best,

Can you provide a detailed path to exploit this vulnerabilities in Alfresco Share 7.4.1.1?

You need to classify reported vulnerabilities according to the risk they represent for your system. If there is no way to exploit a vulnerability in your system, then it's not a risk.

Hyland Developer Evangelist

jleman
Champ in-the-making
Champ in-the-making

@angelborroy ???????

Yes you are right, if Hyland policy is to wait for a public exploit to fix an official CVE, you don't need to update the application.

For instance, this position is exactly the reason that leads to the current Storm-0558 data breach in Microsoft systems, including a huge government e-mail data leak, and opening investigations from the FBI, CSRB, Dept. of Justice, FTC & CISA.

I invite you to read the Tenable's CEO article and the Senator Ron Wyden's letter about Microsoft's negligence in fixing potential security breaches.

cc. @ttoine 

Not sure if I understand you, but let me make a quick analysis on your vulnerabilities report.

https://nvd.nist.gov/vuln/detail/CVE-2023-20860

Spring Framework running version 6.0.0 - 6.0.6 or 5.3.0 - 5.3.25 using "**" as a pattern in Spring Security configuration with the mvcRequestMatcher creates a mismatch in pattern matching between Spring Security and Spring MVC, and the potential for a security bypass.

Alfresco Share application is not using that kind of pattern. Additionally, Alfresco Share is not using Spring MVC at all.

https://nvd.nist.gov/vuln/detail/CVE-2023-20861

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

You could get an external addon including this kind of attack by using https://docs.spring.io/spring-framework/reference/core/expressions/beandef.html

Understanding that you're not accepting or deploying Alfresco Share addons coming from an unknown developer or third-party, you're also safe.

In any case, Alfresco is updating library versions with every Alfresco release. So this will be fixed shortly. If you consider this is a high risk for your organization, you can open a Support Ticket to get that fixed as a hot fix.

What I explained to you before is not the official Hyland Policy, it was just an advice from a colleague trying to help you to solve your problem.

If you want to verify the official Hyland Policy or raise a concern related to it, please use the official Support Channel. Alfresco Hub is not intended to reply to those kind of questions.

Hyland Developer Evangelist

jleman
Champ in-the-making
Champ in-the-making

@angelborroy Of course if after internal analysis, you can determine to not be affected by the CVE for some reasons that is acceptable for a moment, as Apache Solr did for exemple for a similar breach in their security review page for a 9.8 CVE

image

But you'll admit that is far different from saying "Can you provide a detailed path to exploit this vulnerabilities in Alfresco Share", which I understand as :  We will only patch it if an exploit has been released (and so, already used against Alfresco instances).

We don't consider this is a high risk, we just gather informations from our security monitoring, the official CVE database and Alfresco communication, that communication should be done when vulnerabilities from 6 months ago are still not patched.

image

Do you have some news about changing the Community Download Page ? It is some links to change and can prevent users to download an affected or unsupported version.

EDIT : Download page have been updated