Earlier today, we received information about a lengthy post from a member of our community regarding security issues in SugarCRM’s products and operations. Let me start by saying that SugarCRM takes product and IT security very seriously and has enjoyed a long and productive history of working with the security community. These engagements have helped improve our products and operational processes immensely. Our security protocols and policies include a prompt response to any report of security vulnerabilities or incidents by researching, analyzing, scoring, correcting and providing public notification of the issue(s), and corresponding remediation and product improvements.
Regarding today’s post, the content and issues cited are currently under review by our security, product and operations teams. As we analyze the issues, I’ll continue to post updates on this blog.
4 PM PT Update
Quick update: Our technical and operations folks are doing a line-by-line analysis of the blog post to determine the accuracy and status of the issues cited. We’ll have a more detailed update as quickly as we can work through all of them, but I’d like to shed some light on the history and structure of our SugarCRM product.
As noted in the original post, the security issues found were based on an analysis of Sugar CE (Community Edition) open source. The Sugar CE code base comes from our previous generation of CRM product (Sugar 6.x). When Sugar released the next and current generation of our CRM product (Sugar 7.x), we ended support for our open source program as well. Thus, the current version of our products (Sugar 7.9 will be shipping shortly) is not the same technology or code represented in our CE edition. That said, there is a significant amount of code that is shared between the two, so the comments raised may very well apply to the current generation of products. Regardless of version, technology or time frame, we err on the side of safety and analyze all reports, checking against all supported versions of our CRM product.
6 PM PT Update
Analysis: First results are in
Our research is ongoing, but I want to keep folks updated here.
The vulnerabilities cited in part one of the researcher’s post is described as PHP Object injection vulnerabilities. We have made a series of changes over a period of time to fully address these issues, and we were able to mitigate them through a combination of an update provided in SugarCRM 6.5.24, released in July 2016, and the PHP 5.6.25 upstream release, which occurred in September 2016. Notwithstanding, we recognize that the usage of unserialize has an elevated risk and we already have plans to move away from it in a future release.