Hi All,
EDIT (2024-11-20) Added note below about special install instructions being present for some patches (CM10.1P6 Oracle + 23.4P2 Oracle)
EDIT (2024-11-25) Added CVE scoring screenshot from NIST
Just received a notification that links to the following page Security alert - CVE-2024-10863: Audit log vulnerability affects OpenText Secure Content Manager
The above page links to the KM https://portal.microfocus.com/s/article/KM000036389
Posting here to the Discussions page for added visibility
Looks to impact 24.3 and older versions (any version released prior to 29 October)
------------------------
Systems Affected:
OpenText Secure Content Manager 24.3 and older versions
Details:
CVE-2024-10863: Audit log vulnerability affects OpenText Secure Content Manager
End-users can potentially exploit the vulnerability to exclude audit trails from being recorded on the client side.
Impact:
If users exploit the vulnerability, client-side events will not be captured in the central audit log.
Solution:
In the patch provided, audit trails will be captured on the server side instead of the client side, thereby eliminating the vulnerability and its impact.
Apply one of the following patches depending on the version deployed in your environment
Secure Content Manager 24.3 Patch 1: (Released 2024-11-14) Patch 219146 - Content Manager 24.3 Patch 1 Build 86
Secure Content Manager 24.2 Patch 1: (Released 2024-11-14) Patch 219145 - Content Manager 24.2 Patch 1 Build 123
Secure Content Manager 23.4 Patch 2: (Released 2024-10-29) Patch 1593502 - Content Manager 23.4 Patch 2 Build 240
Secure Content Manager 10.1 Patch 6: (Released 2024-10-29) Patch 1593711 – Content Manager 10.1 Patch 6 Build 1185
------------------------
NB: The fixed 24.4 version was released 2024-10-29 so versions prior to this date look to be impacted.
CVE rating of 5.1 (medium CVSS):
Mitre https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10863
CVE.org https://www.cve.org/CVERecord?id=CVE-2024-10863
NIST https://nvd.nist.gov/vuln/detail/CVE-2024-10863
Is there going to be a hotfix or is the only way to remediate to apply the patch?
Doesn't look like any remediations are possible outside of applying the patch. No hotfix will be provided. (Source)
Does client-side mean 'any client application' (e.g. Web Client / Mobile App / Desktop)?
This applies only to the CM Desktop Application (Source)
Does 'central audit log' mean both the Online and Offline Audit Log?
Central Audit Log mentioned above is the Online Audit Log. (Source)
Special Install Instructions for CM10.1 Patch 6 with Oracle
See the Installation Instructions at the bottom of the page at the patch link for details
Special Install Instructions for CM23.4 Patch 2 with Oracle
See the Installation Instructions at the bottom of the page at the patch link for details
Will continue to update this post if / when information becomes available. Am collating the above in my own personal capacity.
If anyone comes across any extra info that can help the community please let me know and I'll add it to / update this post.
-Scotty