Alfresco Process Services 2.3.5|14 November 2022
Alfresco Process Services 2.3.5 Release Notes
14th November 2022
The following notes provide detailed information on the Alfresco Process Services 2.3.5 release
What’s new
Bug fixes
Security enhancements
Approach to Addressing Security Vulnerabilities in Alfresco
In the fast moving and ever-changing realm of technology innovation, exploitable vulnerabilities arise from time to time. Due to the Open Source nature of Alfresco software, we embed a large number of external open source libraries. Our security policy is to ensure that we ship product that is both high quality and secure. Leveraging open source software means we rely on those beyond Alfresco to make updates and provide fixes. As a result, Alfresco may sometimes release products that have known security vulnerabilities in some of these external libraries, particularly in older software versions where the library maintainers are only fixing latest library versions that are incompatible with the older software code line. We commit to making our customers aware of any known vulnerabilities in external libraries that we bundle with our software. We also encourage customers on releases several years old to consider an upgrade plan to the latest technologies to further minimize exposure.
3rd party Libraries with known vulnerabilities that do not affect product security
If you analyse the product with a security scanner then the following libraries will show up as having vulnerabilities.
We have verified that the following vulnerabilities in these libraries cannot be exploited or have a different CVSS value within the product.
Vulnerability | Product Contextual Severity | Notes |
CVE-2022-2668 (KeyCloak) | Assessed | This will only affect administrators of SAML clients that would possibly upload javascript code directly into Keycloak Admin Console and that should not be available in public network but in intranet only. Moreover, this is classified as Medium from the vendor as it requires user interaction to be exploited. |
CVE-2018-10054 (H2) | Mitigated | Vulnerability is not exploitable with default configuration as it requires H2 console to be explicitly activated via configuration in the property file. H2 database is anyway not recommended for production deployment. |
Bugs Fixed
Please visit https://issues.alfresco.com for full details on issues fixed in this release.
Customer raised issues that have been fixed: Key | Summary | Case # |
MNT-23208 | End users still can start older version of a process model | 00708140 |
MNT-23165 | Dropdown label is not viewable in editor after saving form | 00690490, 00699587 |
MNT-22149 | Not possible to export app that contains several subprocesses referencing same document template | 01021908, 00337496 |
Other Fixes
The following issues fixed in this release are not publicly visible in http://issues.alfresco.com , for a variety of reasons. If you require further information about any of these, please contact Alfresco support.
Severity | Key | Summary | Case # |
2 | PRODSEC-6432 | Unrestricted File Upload - User Profile Picture | N/A |
1 | PRODSEC-6431 | Broken Access - Privileged Account Creation | N/A |
1 | PRODSEC-4856 | Veracode Flaw (static): Cross-Site Scripting (XSS), APS2.x, 15 Jul 2021 Static Promoted, Flaw 52 | N/A |
2 | PRODSEC-6093 | GDPR compromised by Google Fonts | N/A |
2 | PRODSEC-6552 | SSTI: Server-Side Template Injection in Activiti email template (External Report) | N/A |
3 | MNT-23281 | [Security] CVE-2022-42889 request to update the common-text.jar version to 1.10. | 00743094 |
Supported platforms
See the Supported platforms for full details of the platforms supported by this release.
Installation
See: Alfresco Docs - Install Process Services
Upgrading from previous releases
See: Alfresco Docs - Upgrade Process Services
Known Issues
None
Support
Support for this release is in line with our Product support policy: Hyland Alfresco Product Support Status and Updates
If you require support, please visit the Alfresco Support Portal: https://support.alfresco.com
リックソフト株式会社 は、日本でトップレベルのAtlassian Platinum Solution Partnerです。
大規模ユーザーへの対応実績が認められたEnterpriseの認定をうけ、高度なトレーニング要件をクリアし、小規模から大規模のお客様まで対応可能な実績を示したパートナー企業です。
Copyright © Ricksoft Co., Ltd. プライバシーポリシー お問い合わせ