Hi
We have a SuiteCRM install which I’ve just upgraded to 7.10.2, because the earlier version (7.8.7?) was detected by an OpenVAS security scan as having SugarCRM vulnerabilities.
- SugarCRM Multiple Vulnerabilities (June 2017)
- SugarCRM Multiple SQL Injection Vulnerabilities
- SugarCRM php-saml Vulnerability
Unfortunately, even after the upgrade, these vulnerabilities are still being reported.
Having read through other threads… I think the security issues have been addresses. but it would be good if the false positives were cleared
(can share the actual scan results if you want them)
Regards
Eric
Yes, these have been addressed. Maybe it’s better to contact the Security Scan providers and tell them to drop any SugarCRM checks for SuiteCRM, starting from SuiteCRM versions dated after SugarCRM CE was removed from Github and ceased to exist.
From now on there is no SugarCRM inside SuiteCRM, there is just SuiteCRM.
See https://github.com/salesagility/SuiteCRM/issues/5599
The security scan (OpenVAS) is detecting SugarCRM 6.5.25 and assuming SugarCRM vulnerabilities within SuiteCRM
That would suggest that there are still some residual traces of SugarCRM.
Until they’re removed, any security scan software is rightly going to flag up vulnerabilities in what it sees as an outdated SugarCRM install.
I’m not the first person to have pointed this out - your github link shows that someone else has pointed this out in March.
Eric
Yes I was aware of this from that earlier GitHub discussion.
But it’s their false positive, what can we do? They’re not detecting any vulnerabilities, they’re zealously detecting a “secondary version number” that might previously be sign of issues, but not anymore…
I’m not sure they’re being over zealous…
If there’s a vulnerability on SugarCRM pre 6.5.26, then they ought to report it.
Vulnerability Detection Result
Installed version: 6.5.25
Fixed version: 6.5.26
I guess either stop reporting as SugarCRM 6.5.25
or
Ask them (http://www.openvas.org/) how to quash this at source?
I’ve set it as a false positive when we scan internally, but it’ll pop up every few months from other people if you don’t address it somehow.
Eric
We know the vulnerabilities are fixed, we checked that.
But they aren’t fixed with something called “SugarCRM 6.5.26”, they are fixed with something called “SuiteCRM 7.x.x” (I don’t know exactly which version fixed it).
So we can’t report we’re using SugarCRM 6.5.26 because we aren’t. And we can’t fix any vulnerabilities because we already did.
So all that is left is for these scanning engines to recognize this situation and stop checking SugarCRM version in SuiteCRM (at least for these more recent releases).