27 Apr 2012
Alfresco security alert
Both Alfresco Enterprise and Community Edition users need to pay attention to the security alert that went out last night. In a nutshell, two serious security issues (ALF-13721, ALF-13726) that could be exploited in order to gain unauthorized access to your repository and the content within it have been discovered and addressed.
ALF-13721 refers to an issue that the SOLR API webscripts can be executed without authentication. If you are running Alfresco 4, this affects you, even if you have not installed or configured SOLR. The issue is addressed in 4.0.1 Enterprise. A hotfix is available for 4.0.
ALF-13726 is about exploiting the XSLT engine’s ability to run arbitrary Java classes which could be used to grant someone access to the repository. This one affects all versions of Alfresco. This issue will be addressed in 3.4.9. A hotfix is available.
Community Edition users should be able to patch these issues themselves using information provided in the Jiras and forum post referenced above. The fixes will be incorporated into the next Community release.