Alfresco Process Services 2.3.5｜14 November 2022

Alfresco Process Services 2.3.5 Release Notes

14th November 2022

The following notes provide detailed information on the Alfresco Process Services 2.3.5 release

What’s new

Bug fixes
Security enhancements

Approach to Addressing Security Vulnerabilities in Alfresco

In the fast moving and ever-changing realm of technology innovation, exploitable vulnerabilities arise from time to time. Due to the Open Source nature of Alfresco software, we embed a large number of external open source libraries. Our security policy is to ensure that we ship product that is both high quality and secure. Leveraging open source software means we rely on those beyond Alfresco to make updates and provide fixes. As a result, Alfresco may sometimes release products that have known security vulnerabilities in some of these external libraries, particularly in older software versions where the library maintainers are only fixing latest library versions that are incompatible with the older software code line. We commit to making our customers aware of any known vulnerabilities in external libraries that we bundle with our software. We also encourage customers on releases several years old to consider an upgrade plan to the latest technologies to further minimize exposure.

3rd party Libraries with known vulnerabilities that do not affect product security

If you analyse the product with a security scanner then the following libraries will show up as having vulnerabilities.

We have verified that the following vulnerabilities in these libraries cannot be exploited or have a different CVSS value within the product.

Vulnerability

Product Contextual Severity

Notes

CVE-2022-2668

(KeyCloak)

Assessed

This will only affect administrators of SAML clients that would possibly upload javascript code directly into Keycloak Admin Console and that should not be available in public network but in intranet only.

Moreover, this is classified as Medium from the vendor as it requires user interaction to be exploited.

CVE-2018-10054 (H2)

Mitigated

Vulnerability is not exploitable with default configuration as it requires H2 console to be explicitly activated via configuration in the property file. H2 database is anyway not recommended for production deployment.

Bugs Fixed

Please visit https://issues.alfresco.com for full details on issues fixed in this release.

Customer raised issues that have been fixed: Key	Summary	Case #
MNT-23208	End users still can start older version of a process model	00708140
MNT-23165	Dropdown label is not viewable in editor after saving form	00690490, 00699587
MNT-22149	Not possible to export app that contains several subprocesses referencing same document template	01021908, 00337496

Other Fixes

The following issues fixed in this release are not publicly visible in http://issues.alfresco.com , for a variety of reasons. If you require further information about any of these, please contact Alfresco support.

Severity	Key	Summary	Case #
2	PRODSEC-6432	Unrestricted File Upload - User Profile Picture	N/A
1	PRODSEC-6431	Broken Access - Privileged Account Creation	N/A
1	PRODSEC-4856	Veracode Flaw (static): Cross-Site Scripting (XSS), APS2.x, 15 Jul 2021 Static Promoted, Flaw 52	N/A
2	PRODSEC-6093	GDPR compromised by Google Fonts	N/A
2	PRODSEC-6552	SSTI: Server-Side Template Injection in Activiti email template (External Report)	N/A
3	MNT-23281	[Security] CVE-2022-42889 request to update the common-text.jar version to 1.10.	00743094

Supported platforms

See the Supported platforms for full details of the platforms supported by this release.

Installation

See: https://docs.alfresco.com/process-services/latest/install/

Upgrading from previous releases

See: https://docs.alfresco.com/process-services/latest/upgrade/

Known Issues

None

Support

Support for this release is in line with our Product support policy: https://www.alfresco.com/services/subscription/technical-support/product-support-status

If you require support, please visit the Alfresco Support Portal: https://support.alfresco.com