Alfresco Content Services security notification and actions

cancel
Showing results for 
Search instead for 
Did you mean: 

Alfresco Content Services security notification and actions

aleach
Alfresco Employee
0 2 982

A security vulnerability was recently identified and reported to Hyland relating to Alfresco Content Services. We have received and verified three security issues with severity up to critical in our platform.

Supported Alfresco Content Services versions

The Alfresco Content Services Engineering team has created a hotfix for each supported version affected. Supported customers have received an email with hotfix locations and instructions to install. If you are a supported customer and have not received this communication, please submit a support ticket via Hyland Community.

 

Unsupported Alfresco Content Services versions

If your organization is running on an unsupported Alfresco Content Services version, it is recommended that you upgrade to a more recent Alfresco Content Services version to address the current security vulnerabilities and mitigate future risk.

 

Please visit this webpage, and a Hyland team member will reach out to discuss upgrade options. In the meantime, learn more about the Alfresco Cloud, our fully managed platform, and our latest on-premises  version Alfresco Content Services 7.0.1

 

Additional information

If you have questions on whether you are on a supported or unsupported Alfresco Content Services version, visit the Product Support Status page.

 

Additional security information related to the issues will be publicly disclosed when the common vulnerabilities and exposures (CVEs) are assigned. 

 

Hyland will continue to notify you of opportunities to enhance your Alfresco Content Services platform security.

2 Comments
jpotts
Professional

Exactly how are community edition users supposed to identify what these vulnerabilities are and whether or not they are affected?

afaust
Master

@jpotts You are assuming that Enterprise Edition users have any more meaningful input. The same type of question is being raised in the Hyland Community for support. Granted, they did at least give a bullet point list of three or four high-level titles/descriptions, though as far as it appears, the Enterprise hot fix also includes some seemingly overreaching feature restriction affecting the "Execute Script" action under the guise of "security".