SugarCRM has released version 220.127.116.11 for all editions. The 18.104.22.168 release is available for download to on-site customers and has automatically been applied to 7.9 customers in the Sugar cloud environment. This latest release addresses issues identified in prior releases of Sugar and includes important security updates. At SugarCRM, we consider data security and the protection of your private information our highest priority. We have recently detected security vulnerabilities and, to minimize potential risks, those issues have been investigated and addressed in this updated release.
For more information regarding the specific advisories, please refer to the following Security Advisory announcements:
- Security Advisory sugarcrm-sa-2018-001 : Authenticated administrative users may cause arbitrary code to be executed.
- Security Advisory sugarcrm-sa-2018-002 : Unauthenticated users may gain access via privilege escalation in LDAP-configured applications.
- Security Advisory sugarcrm-sa-2018-003 : Authenticated users may cause arbitrary SQL to be executed.
- Security Advisory sugarcrm-sa-2018-004 : Authenticated users may cause arbitrary code to be executed.
- Security Advisory sugarcrm-sa-2018-005 : Authenticated users may cause arbitrary code to be executed.
Following our investigations, we have no indication that the vulnerabilities were exploited. However, we recommend that you immediately take the steps outlined below to ensure that your data stays protected:
If you are hosted in the Sugar cloud, no action is required as these vulnerabilities and bugs have been patched in the cloud environment. If you have additional questions related to how your instance has been affected, please open a case with our support team.
If you host your instance on-site (in any environment outside of the Sugar cloud environment), please carefully review the following instructions and take the actions outlined below at the earliest opportunity. Failure to take these actions could leave you exposed to malicious attacks:
Please visit our Download Manager to download the latest patch for your release, 22.214.171.124, which address these vulnerabilities. Our Installation and Upgrade Guide contains the appropriate guidance to apply these patches to your instance.
Version 7.8.x or below
Please visit our Download Manager to download 126.96.36.199, which address these vulnerabilities as versions 7.8 and below are no longer supported. Our Installation and Upgrade Guide contains the appropriate guidance to apply these updates to your instance.
If upgrading now is not an option, please open a case with our support team to request a hotfix for the security vulnerabilities. We will then supply a module loadable package that can be applied to your current version and edition of Sugar. Please note that we will only supply hotfixes for supported versions. Support tickets can be opened via our portal or by emailing firstname.lastname@example.org. If you are not familiar with the support process, please review our knowledge base article on Working With Sugar Support.
More information on the updates in this release can be found at the following links: