Syracuse Server Security hotfix

Solution Properties

Solution ID:

240306170941370

Last Modified Date:

Mon Mar 11 16:00:59 UTC 2024

Taxonomy Path:

Product modules//Sage X3

Author:

[email protected]

Syracuse Server Security hotfix

Description

Hotfixes de sécurité serveur syracuse :

Un risque de sécurité a été détecté dans Sage X3 et peut avoir un impact sur les clients utilisant Sage X3 et Sage X3 Warehousing. Le risque de sécurité est lié à un composant de la plateforme : Le serveur web Syracuse.

Veuillez vous assurer que les instructions suivantes sont soigneusement lues pour tous les clients :

Veuillez consulter les directives de sécurité mises à jour dans l'aide en ligne de Sage X3.

Sage fournit un ensemble de directives décrivant les meilleures pratiques pour déployer Sage X3 de manière sécurisée. Nous recommandons aux clients de consulter ces directives pour garantir que Sage X3 est déployé en toute sécurité. Veuillez vous référer aux recommandations actuelles sur les meilleures pratiques de sécurité disponibles via le centre d'aide en ligne de Sage X3.

Correctifs de sécurité du serveur Syracuse :

Les correctifs de sécurité de Syracuse Server sont disponibles dans la section téléchargement ci dessous pour 2023 R1 et pour 2023 R2 et seront inclus dans la version 2024 R1.

Vous trouverez ci dessous les détails de ces vulnérabilités :

Information Disclosure (Severity: Medium): Some endpoints in Sage X3 allow a user with sufficient access rights to read object properties that are not meant to be disclosed. This is restricted to objects the user has access to, depending on their role and access rights in Sage X3. Object properties that are not meant to be disclosed are no longer displayed in any scenario.

Brute force attack – Login credentials (Severity: Medium): The X3 basic login screen may allow an attacker to perform brute force attacks and gain unauthorized access in case of success. This attack scenario is possible only when basic (user / password) authentication is used. Reminder: As per Sage security guidelines, basic authentication (user / password) must never be used in production instances.

Mass Assignment (Severity: Medium): The Sage X3 REST API allows a user with sufficient access rights to modify object properties that are not meant to be modifiable. This is only possible for objects the user has access to, depending on their role and access rights in X3. Object properties that are not meant to be modified by a user are no longer modifiable via the REST API.

***

Syracuse Server Security hotfixes

A security risk has been detected within Sage X3 that may impact customers using Sage X3 and Sage X3 Warehousing. The security risk is related to a platform component: Syracuse Server.
Please make sure the following instructions are carefully reviewed for all customers:

Please review updated security guidelines in the Sage X3 Online Help

Sage provides a set of guidelines outlining best practices for deploying Sage X3 in a secure way. Our recommendation is that customers review these guidelines to ensure that Sage X3 is deployed securely. Please refer to the current security best practice recommendations available via the Sage X3 Online Help Center.

Security Syracuse Server hotfixes:

Syracuse Server security fixes are available below for 2023 R1 and for 2023 R2 and will be included in 2024 R1 release.

Please see the details of the vulnerabilities below:

Download

Hotfix for 2023R2 : syracuse-server-12.19.10.10.jar.zip

Hotfix for 2023R1 : syracuse-server-12.18.18.3.jar.zip

New in this release