This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IMPORTANT: Sage X3 Security Hotfix *** Added on 28th June 2021

We have updated the Sage X3 Security Hotfix post below delivered on 28th April 2021 with some additional information. Please scroll down this page to read our post.

Ensuring security for our customers is of paramount importance to Sage. We have recently become aware of a security risk in Sage X3 that may impact customers using Sage X3. The security risk is related to a platform component and has no impact on the Sage X3 application code or customizations that may have been implemented.

To ensure that customers using Sage X3 remain secure, Sage has worked quickly to address this issue and we have made a fix available for immediate implementation.

NOTE: Please refer to the Sage X3 Lifecycle Policy for information on the support status of the different Sage X3 versions. For more information on versions that are not supported but have a valid maintenance license please contact your Sage X3 vendor.

We recommend that you apply the security fix as soon as possiblePlease read the following instructions before applying the hotfix if your current version is supported by Sage X3 Lifecycle Policy.

 

1- Please review updated security guidelines in the Sage X3 Online Help

Sage provides a set of guidelines outlining best practices for deploying Sage X3 in a secure way. Our recommendation is that customers review these guidelines to ensure that Sage X3 is deployed securely. Please refer to the current Security Best Practice Recommendations available in the Sage X3 Online Help Centre.

 

2- Security Hotfix - Installation steps

Step 1: This step is applicable for the Sage X3 versions V12, V11, and V9 supported by Sage X3 Lifecycle Policy and indicated in the grid below.

Apply the following technical components:

Step 2: Please follow the instructions in the grid below for relevant Sage X3 version.

Version 12

If your current release is 2020 R1, R2, R3, R4 and 2021 R1, apply the following technical components. The Syracuse hotfix includes the replacement of Flash components, especially the Visual Process display and editor.

In addition to the installation of the Syracuse hotfix above,

If your current release is 2020 R1 or 2020 R2, please install the relevant Sage X3 patch below  through the Patches > Patch Integration function in the X3 Endpoint:

If your current release is 2020 R3, please install the relevant Sage X3 patch below through the Patches > Patch Integration function in the X3 Endpoint:

Review your Sage X3 Visual Processes (if used) to check for any adaptation if necessary.

Best Practice: 

Make a backup and ensure the hotfix is installed in a pre-production or test environment first and thoroughly tested before moving to production. 

Roll back information: 

For the scenarios above where only, the technical components are required (ie. no need for additional applicative patches): Sage X3 Version 12 2020 R4 and 2021 R1, each technical component can be rolled back either by simply installing the older version of the technical component, or by uninstalling the recent installation and re-installing the older version of that component.

For Sage X3 Version 12 2020 R1 to 2020 R3, you cannot simply roll back the technical components; you would need to revert to the backup made prior to starting the installation.

Version 11

Apply the following technical components. Those technical components are compatible and has been tested internally with the latest patch V11 P19.  They have not been tested on earlier patch levels of Sage X3 Version 11. As such, there are no guarantees that can be given by Sage regarding the suitability of the fix. Please note for customers that are on earlier patch versions, the technical components may work, and there may also be a requirement for certain applicative patches. It is strongly advised that you reach out to our local support team on a case-by-case basis for advice.

The Syracuse hotfix includes the replacement of Flash components, especially the Visual Process display and editor.

Review your Sage X3 Visual Processes (if used) to check for any adaptation if necessary.

Best Practice: 

Make a backup and ensure the hotfix is installed in a pre-production or test environment first and thoroughly tested before moving to production. 

Roll back information:  

Each technical component can be rolled back either by simply installing the older version of the technical component, or by uninstalling the recent installation and re-installing the older version of that component.

Version 9

IMPORTANT: Per Sage X3 lifecycle policy, the following Syracuse hotfix is guaranteed to work with the latest patch level of Sage X3 PU9 (PU9 P12). It has not been tested on earlier patch levels of Sage X3 Version PU9. As such, there are no guarantees that can be given by Sage regarding the suitability of the fix. Please note for customers that are on earlier patch versions, the technical components may work, and there may also be a requirement for certain applicative patches. It is strongly advised that you reach out to our local support team on a case-by-case basis for advice.

This Syracuse hotfix does not include the replacement of Flash components.


Best Practice:

Make a backup and ensure the hotfix is installed in a pre-production or test environment first and thoroughly tested before moving to production. 

Roll back information:

Each technical component can be rolled back either by simply installing the older version of the technical component, or by uninstalling the recent installation and re-installing the older version of that component.

Additional information:

The Compatible MongoDB versions associated to the Syracuse Security update are as follows:

  • Version 12 must have MongoDB v4.2.8
  • Version 11 must have MongoDB v4.2.8
  • Product Update 9 must have MongoDB v3.6.14

Note: MongoDB must be on the appropriate version (for your X3 Version) PRIOR to installing/updating Syracuse.

  • For more information on updating to MongoDB 3.6, Please see our Reference Guide HERE.
  • For more information on updating to MongoDB 4.0, Please see our Reference Guide HERE.
  • For more information on updating to MongoDB 4.2, Please see our Reference Guide HERE.

Additional information for multi-server/clustered environments:

  • The above remains applicable per server or cluster.
  • You may be able to limit downtime by taking systematically servers / clusters offline one at a time to install until the last is complete and then to bring all back online once completed.

What can be done to mitigate of this risk?

The suggested approach is to apply the patch(es) provided by Sage as soon as possible.  In addition to mitigate the risk Sage recommends that customers:

  • Set the AdxAdmin service to “manual” start mode and start the service only when a maintenance operation with the X3 Console is required, then stop the service once the maintenance operation is complete.
  • Put in place a network segmentation strategy thus isolating the administration ports only to authorized personnel.

Read the Sage X3 security best practices guidelines outlining best practices for deploying Sage X3 in a secure way. Our recommendation is that customers review these guidelines of Security Best Practice Recommendations to ensure that Sage X3 is deployed securely.