A Xerox DocuShare hotfix, is now available. This hotfix is strongly recommended for all versions of DocuShare 6. (The type of database DocuShare connects to does not matter)
The hotfix fixes the recently reported "SQL Injection Vulnerability." that was reported on the GitHub website, 15 April 2014 (https://gist.github.com/brandonprry/10745681).
Problem Description: The problem is a blind SQL injection vulnerability. This means there exists a way for a malicious attacker to inject SQL commands into the system, potentially changing, damaging, or deleting your database tables and values.
Who is affected: DocuShare 6 customers.
Note that:
|
Hotfixes are available for the currently supported releases: |
|
If you are running another version of DocuShare, you are strongly advised to upgrade and apply the hotfix. |
If you choose not to install this hotfix: Disabling 'Guest' access and backing up the database frequently will reduce your vulnerability to authenticated users (and database backups would allow you to recover if a hostile attack is launched). Without the hotfix your site is vulnerable to attack by any Guest, Read-only, or higher level users who can access the system.
Steps to take:
|
|
1. |
Download the Critical Security Update hotfix from the Xerox website, here.
Note: Please look for the hotfixes under the Critical Security Updates section.
· DocuShare 6.6.1, Update 2
· DocuShare 6.6.1, Update 1
· DocuShare 6.5.3 –
|
2. |
Follow the contained instructions for installing the hotfix.
Note: If you update or upgrade DocuShare you must apply the associated Hotfix for that level.
For example: 6.6.1 Update 2 = Install Update 2 Hotfix 3 6.6.1 Update 1 = Install Update 1 Hotfix 24 6.5.3 Patch 6 = Install Patch 6 Hotfix 2
Note: For detailed instructions on How To Install Updates, Patches and Hotfixes click the solution link at the bottom of the page.
|
Solution Published: April 21st, 2014
Solution ID: 1480