CVE-2024-10863: Audit log vulnerability

Hi All,

EDIT (2024-11-20) Added note below about special install instructions being present for some patches (CM10.1P6 Oracle + 23.4P2 Oracle)
EDIT (2024-11-25) Added CVE scoring screenshot from NIST

Just received a notification that links to the following page  Security alert - CVE-2024-10863: Audit log vulnerability affects OpenText Secure Content Manager 
The above page links to the KM  https://portal.microfocus.com/s/article/KM000036389

Posting here to the Discussions page for added visibility

Looks to impact 24.3 and older versions (any version released prior to 29 October)

------------------------

Systems Affected:
OpenTextTm Secure Content Manager 24.3 and older versions

Details:
CVE-2024-10863: Audit log vulnerability affects OpenText Secure Content Manager
End-users can potentially exploit the vulnerability to exclude audit trails from being recorded on the client side.

Impact:
If users exploit the vulnerability, client-side events will not be captured in the central audit log.

Solution:
In the patch provided, audit trails will be captured on the server side instead of the client side, thereby eliminating the vulnerability and its impact.

Apply one of the following patches depending on the version deployed in your environment
Secure Content Manager 24.3 Patch 1: (Released 2024-11-14) Patch 219146 - Content Manager 24.3 Patch 1 Build 86
Secure Content Manager 24.2 Patch 1: (Released 2024-11-14) Patch 219145 - Content Manager 24.2 Patch 1 Build 123
Secure Content Manager 23.4 Patch 2: (Released 2024-10-29) Patch 1593502 - Content Manager 23.4 Patch 2 Build 240
Secure Content Manager 10.1 Patch 6: (Released 2024-10-29) Patch 1593711 – Content Manager 10.1 Patch 6 Build 1185

------------------------

NB: The fixed 24.4 version was released 2024-10-29 so versions prior to this date look to be impacted.

CVE rating of 5.1 (medium CVSS):


Mitre Arrow right https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10863
CVE.org Arrow right https://www.cve.org/CVERecord?id=CVE-2024-10863
NIST Arrow right https://nvd.nist.gov/vuln/detail/CVE-2024-10863

Is there going to be a hotfix or is the only way to remediate to apply the patch?
Doesn't look like any remediations are possible outside of applying the patch. No hotfix will be provided. (Source)

Does client-side mean 'any client application' (e.g. Web Client / Mobile App / Desktop)?
This applies only to the CM Desktop Application (Source)

Does 'central audit log' mean both the Online and Offline Audit Log?
Central Audit Log mentioned above is the Online Audit Log. (Source)

Exclamation Special Install Instructions for CM10.1 Patch 6 with Oracle
See the Installation Instructions at the bottom of the page at the patch link for details

Exclamation Special Install Instructions for CM23.4 Patch 2 with Oracle
See the Installation Instructions at the bottom of the page at the patch link for details

Will continue to update this post if / when information becomes available. Am collating the above in my own personal capacity.

If anyone comes across any extra info that can help the community please let me know and I'll add it to / update this post.

-Scotty