====== Ahsay Security Advisory (#26030) - Critical Vulnerability in AhsayCBS v7 and AhsayCBS v8 ======
We have recently uncovered a critical vulnerability in the AhsayCBS API (Application Programming Interface) system, which exposes some versions of AhsayCBS v7 and AhsayCBS v8 to a very high risk of malicious attack and loss of data.
The vulnerability could potentially allow a malicious attacker to:
* Gain access the file system and all backup files on the AhsayCBS server
* Obtain a list of directories and files on the AhsayCBS server
* Delete files on the AhsayCBS server
* Download files from the AhsayCBS server
===== What are the affected AhsayCBS versions? =====
* AhsayCBS pre-v7.17.2.97
* AhsayCBS v8.1.0.24 to v8.1.1.x
* AhsayCBS v8.3.0.30 to 8.3.0.104
===== Does it affect my AhsayOBM/AhsayACB v7 and v8 clients? =====
The vulnerabilities only affect AhsayCBS v7 and AhsayCBS v8 servers, it does not affect the AhsayOBM/AhsayACB v7 and v8 clients, and therefore no action is required for AhsayOBM/AhsayACB clients.
However, we do recommend partners consider upgrading AhsayOBM/AhsayACB clients to the latest versions to take advantage of the latest available bug fixes and enhancements.
===== What action do I need to take to fix this problem? =====
All affected partners:
* On AhsayCBS v7 are strongly advised to upgrade to the latest version of v7, AhsayCBS v7.17.2.119 or above to fix the critical vulnerability.
* On AhsayCBS v8 are strongly advised to upgrade to the latest version of v8, AhsayCBS v8.3.2.11 or above to fix the critical vulnerability.
Please make sure you have valid maintenance before upgrading to the latest release. Otherwise, your AhsayCBS service will stop functioning due to "Support Expired" error. Please contact a member our Sales team sales-kb@ahsay.com for assistance with maintenance related issues.
==== 1. For partners currently on AhsayCBS v7 ====
i. If your current version is **NOT AhsayCBS v7.17.2.2 or above**.
* Please refer to this KB articles for upgrade instructions to upgrade to v7.17.2.2:
* Windows/Linux/FreeBSD: [[public:5145_faq:how_to_install_the_latest_patch_set_for_ahsaycbs|Click here]]
* AhsayUBS: [[public:5237_faq:how_to_install_the_latest_patch_set_for_ahsayubs_version_7|Click here]]
* Apply the latest hotfix v7.17.2.119 or above. Please refer to instructions on our Partner Portal [[https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_hotfix-v7|here]]. (**Note:** a valid partner portal login is required.)
ii. If your current version is AhsayCBS v7.17.2.2 or above.
* Apply the latest hotfix v7.17.2.119 or above. Please refer to instructions on our Partner Portal [[https://www.ahsay.com/partners/en/home/index.jsp?pageContentKey=ahsay_assets_hotfix-v7|here]]. (**Note:** a valid partner portal login is required.)
==== 2. For partners currently on AhsayCBS v8 ====
If your current version is **NOT AhsayCBS v8.3.2.11 or above**, please refer to the following KB article for upgrade instructions:
* Windows/Linux/FreeBSD: [[public:8009_faq:how_to_install_the_latest_patch_set_for_ahsaycbs|Click here]]
* AhsayUBS: [[public:8026_faq:how_to_install_the_latest_patch_set_for_ahsayubs|Click here]]
===== What if my maintenance has already expired? How do I upgrade? =====
**Stop! Do not upgrade** until you contact a member our Sales Team at [[mailto:sales-kb@ahsay.com|sales-kb@ahsay.com]] for assistance with your maintenance renewal.
===== What if I require assistance with my AhsayCBS server upgrade? =====
Our professional service team is ready to provide immediate assistance to partners with AhsayCBS v7 and AhsayCBS v8 upgrades.
Please contact a member our Sales Team at [[mailto:sales-kb@ahsay.com|sales-kb@ahsay.com]] to obtain a quotation for the AhsayCBS upgrade service.