Security Release Notification - 10.0.5 and 11.0.2

At SugarCRM, we take seriously the security and the protection of your systems and data. Today, we are publicly announcing the availability of versions 10.0.5 and 11.0.2 to all Sugar Sell, Serve, Enterprise, Professional, and Ultimate customers. Sugar versions 10.0.5 and 11.0.2 contain fixes for critical security vulnerabilities.

SugarCloud Customers

If your Sugar instance is hosted in Sugar's cloud environment, you do not need to take any action. Customers have been upgraded as determined by their previous version of Sugar:

Current Version Upgraded Version
11.1 Not Applicable – Not Impacted
11.0.x 11.0.2
10.0.x 10.0.5

Customers Hosted Outside of SugarCloud

If you host your instance in any environment outside of the SugarCloud environment, please carefully review the following instructions and take the actions outlined below at the earliest opportunity. Following our investigations, we have no indication that the vulnerabilities were exploited. However, administrators are strongly encouraged to upgrade their Sugar instances to 10.0.5 or 11.0.2 to prevent potential exploitation of these weaknesses.

Please visit the Download Manager to download the latest patch for your release, 10.0.5 or 11.0.2, to address these vulnerabilities. Our Installation and Upgrade Guide contains the appropriate guidance to apply these patches to your instance. Please review the Supported Platforms prior to installing or upgrading.

If further assistance is needed and you are on a supported version of Sugar, have one of your Sugar support-authorized contacts create a case or email support@sugarcrm.com. For more information on the Sugar Support process, please visit the Working With Sugar Support article.

Parents Comment
  • I guess nobody knows that for sure.

    Sugar always "fixes" a lot of things hidden, without mention it in the release notes!
    As example with 11.0.2 they included a "bugfix" for a WebLogicHooks security issue mentioned in the bug  https://portal.sugarondemand.com/#supp_Bugs/82879
    The bug is not in the list of fixed security vulnerabilities and is not marked as fixed in the bug report.

    I know that they included a bugfix, because I requested a hotfix for this bug and the same code is now included in 11.0.2.

    By the way, the fix almost breaks WebLogicHooks usage. I reported this end of May 2021(Case 426507).
    Nevertheless days later they released 11.1.0 with the same issue.
    Someone else reported the very same bug for 11.1.0 as I did for the hotfix, days later:
    https://portal.sugarondemand.com/#supp_Bugs/87318

    Now, this not working code for WebLogicHooks was also introduced in SugarCRM 11.0.2 without even mention it in the release notes. 

    Do not rely on the release notes! They are not worth it!
    Always do extensive testing before installing their updates!

    Regarding this WebLogicHook issue and "critical security vulnerabilities" in general you may also like to read 
    sugarclub.sugarcrm.com/.../webhook-error

Children
  • I have just seen that the bug is mentioned as Security Advisory sugarcrm-sa-2021-031, but the bug report itself does not mention the bug as fixed, which is literally true, as long as you expect a still working WebLogicHook as result of a fix. The security issue is fixed, but the WebLogicHook is not working anymore. Scream
    Anyway, bugs are also fixed without a release note and the "Known Issues" are not up to date either. You can see this for yourself by filtering the bug database. I guess the list would be too long and too much for the release notes.