Alfresco Process Services 2.3.5|14 November 2022

 

Alfresco Process Services 2.3.5 Release Notes

14th November 2022 

The following notes provide detailed information on the Alfresco Process Services 2.3.5 release 

What’s new

  • Bug fixes 

  • Security enhancements 

Approach to Addressing Security Vulnerabilities in Alfresco

In the fast moving and ever-changing realm of technology innovation, exploitable vulnerabilities arise from time to time. Due to the Open Source nature of Alfresco software, we embed a large number of external open source libraries. Our security policy is to ensure that we ship product that is both high quality and secure. Leveraging open source software means we rely on those beyond Alfresco to make updates and provide fixes. As a result, Alfresco may sometimes release products that have known security vulnerabilities in some of these external libraries, particularly in older software versions where the library maintainers are only fixing latest library versions that are incompatible with the older software code line. We commit to making our customers aware of any known vulnerabilities in external libraries that we bundle with our software. We also encourage customers on releases several years old to consider an upgrade plan to the latest technologies to further minimize exposure.

 

3rd party Libraries with known vulnerabilities that do not affect product security 

If you analyse the product with a security scanner then the following libraries will show up as having vulnerabilities. 

We have verified that the following vulnerabilities in these libraries cannot be exploited or have a different CVSS value within the product.

Vulnerability

Product Contextual Severity

Notes

CVE-2022-2668 

(KeyCloak) 

Assessed 

This will only affect administrators of SAML clients that would possibly upload javascript code directly into Keycloak Admin Console and that should not be available in public network but in intranet only. 

Moreover, this is classified as Medium from the vendor as it requires user interaction to be exploited. 

CVE-2018-10054 (H2) 

Mitigated 

Vulnerability is not exploitable with default configuration as it requires H2 console to be explicitly activated via configuration in the property file. H2 database is anyway not recommended for production deployment. 

Bugs Fixed

Please visit https://issues.alfresco.com for full details on issues fixed in this release. 

Customer raised issues that have been fixed: Key

Summary

Case #

MNT-23208 

End users still can start older version of a process model 

00708140 

MNT-23165 

Dropdown label is not viewable in editor after saving form 

00690490, 00699587 

MNT-22149 

Not possible to export app that contains several subprocesses referencing same document template 

01021908, 00337496 

Other Fixes

The following issues fixed in this release are not publicly visible in http://issues.alfresco.com , for a variety of reasons. If you require further information about any of these, please contact Alfresco support.

Severity

Key

Summary

Case #

PRODSEC-6432 

Unrestricted File Upload - User Profile Picture 

N/A 

PRODSEC-6431 

Broken Access - Privileged Account Creation 

N/A 

PRODSEC-4856 

Veracode Flaw (static): Cross-Site Scripting (XSS), APS2.x, 15 Jul 2021 Static Promoted, Flaw 52 

N/A 

PRODSEC-6093 

GDPR compromised by Google Fonts 

N/A 

PRODSEC-6552 

SSTI: Server-Side Template Injection in Activiti email template (External Report) 

N/A 

MNT-23281 

[Security] CVE-2022-42889 request to update the common-text.jar version to 1.10. 

00743094 

 

Supported platforms

See the Supported platforms for full details of the platforms supported by this release. 

Installation

See: Alfresco Docs - Install Process Services  

Upgrading from previous releases

See: Alfresco Docs - Upgrade Process Services  

Known Issues

None 

Support

Support for this release is in line with our Product support policy: Hyland Alfresco Product Support Status and Updates  

If you require support, please visit the Alfresco Support Portal: https://support.alfresco.com 

 

 

リックソフト株式会社 は、日本でトップレベルのAtlassian Platinum Solution Partnerです。
大規模ユーザーへの対応実績が認められたEnterpriseの認定をうけ、高度なトレーニング要件をクリアし、小規模から大規模のお客様まで対応可能な実績を示したパートナー企業です。


Copyright © Ricksoft Co., Ltd. プライバシーポリシー お問い合わせ