At Perforce, we are committed to maintaining the highest standards of security for our products and our customers. Recently, we had the opportunity to further strengthen the security of Helix Core, thanks to valuable input from an independent security researcher.
This experience has not only reinforced our robust security protocols but also provided insights that we are using to improve our testing and release practices.
Potential Impact
An independent security researcher identified Denial-of service (DoS) vulnerabilities that could cause the version control system to become inoperative until an administrator manually restarts the service. As a result, this issue has been rated High, with a CVSS score of 8.7.
There is no legal or ransomware exposure, as the vulnerability does not facilitate ransomware attacks on customers or Perforce's internal infrastructure.
Solution
Our product development and security teams have addressed the vulnerability and implemented necessary safeguards in Helix Core, including CVE-2024-10314, CVE-2024-10344, and CVE-2024-10345. These security fixes are available in:
- Helix Core 2024.2 (initial release)
- Helix Core 2024.1 (patch release)
- Helix Core 2023.2 (patch release)
- Helix Core 2023.1 (patch release)
- Helix Core 2022.2 (patch release)
If you are a Helix Core user, you can resolve this issue by installing the latest version or patched version (see ‘Earlier Versions’ in the sidebar) available on our download page.
If you are a Helix Core Cloud user, no action is required as the issue has been addressed.
Continuous Improvement in Security Practices
We thank the external researchers involved for responsibly disclosing this issue and thank you for being a valued Perforce customer and user.