Important SugarCRM Security Update – The Conclusion
Last month, we published a response to a security researcher’s findings about SugarCRM security. I encourage you to read that post before this one.
In the final section of his post, the blogger discusses our licensing infrastructure. He mentions that communication with our licensing server does not verify the SSL certificate. The commercial editions of Sugar have had this capability enabled by default for a number of years. This effectively mitigates man in middle attacks that he references. He also discusses leveraging unserialize vulnerabilities with our licensing server and highlights that this could be used to compromise customers. We do not believe this to be realistic, as the current implementation of our license server code validates the customer supplied payload prior to calling unserialize. However, as referenced in the first update to this post, in an effort to mitigate risk, we plan on removing calls to unserialize in a future version of Sugar and addressing them in our licensing server as well at that time.
It is important to remember the blogger tested Sugar Community Edition, not the commercial version of Sugar. In February 2014, SugarCRM co-founder and CMO Clint Oram discussed the split between our open source Sugar Community Edition (Sugar CE) and the commercial versions of the product (see https://community.sugarcrm.com/thread/18434). We announced we would no longer support Sugar CE and instead focus on adding new features and functionality to Sugar’s commercial versions. In subsequent years, the commercial versions of Sugar have become radically different from the older Sugar CE. In fact we just released Sugar 7.9, which we believe to be our most secure and feature rich commercial release to date.
Overall, we resolved the escalated issues using our standard grading model, backported those fixes where appropriate, and we continue to use a variety of tools for analyzing our systems for vulnerabilities. We’ve even done these things for the prior version of Sugar (6.5) as well as Sugar CE.
Wherever possible, we react quickly to identified issues. For example, we quickly and transparently communicated with each of the two customers we identified who were affected by the researcher’s actions in the Fall of 2016.
I want to make clear that we encourage open communications with the Sugar community. We expect and hope that these interactions be constructive and positive for everyone involved. We welcome analysis and feedback on the quality and security of our systems, services and infrastructure. Feel free to contact us at security@sugarcrm.com.