Connections with HCL Docs installs LibreOffice 7, from 2020.
Current LibreOffice with lots of fixes is LibreOffice 25.2.5
Comnnections 8
Windows 2019 and Rocky Linux 8
Problem/Query:
Hello and thank you for posting this topic! We’re working on a Docs update and expanded guidance on LibreOffice versioning, and we will share more information here next week.
Thank you,
Michael Montani
HCL Connections Support
Hello - Just wanted to follow-up and let you know that we’re still discussing specifics on this internally. We will be posting a reply to this thread as soon as we can.
Thank you,
Michael Montani
HCL Connections Support
Thank you for raising this question.
The version of LibreOffice included with HCL Connections and HCL Docs is reviewed and evaluated with each release. Our focus is on ensuring stability, compatibility, and security for the specific functions it supports.
While it is technically possible to upgrade LibreOffice independently, doing so would result in a version combination that has not been explicitly tested by HCL. If the updated version of LibreOffice is found to be the cause of a reported issue it would fall under other configuration with limited support. We will continue to assess and update the bundled LibreOffice version when required to address security vulnerabilities, maintain compatibility, or meet evolving product requirements.
Hi,
It is interesting that when we ask for LibreOffice updates, support and development are telling us that only small parts of LibreOffice are used and the attack surface is small. I would read that the other way around and say that this makes it easy to integrate an up-to-date version.
The last delivered version from CF1 has been end-of-support/live for 13 months. Security scanners at customers report this on each run. It’s not just that the tested version is outdated but also shows up on security scans, and we need to argue with security teams why such old versions need to be deployed!
The problem with outdated products is that you may not use the vulnerable functions, but a possible attacker can use them. So it’s not enough to check if a vulnerable function is used or published, but also that there is no security hole deployed.
Other prerequisites in Connections have the support state
Why not document the process of updating LibreOffice and remove it from the Docs package?
LibreOffice versions:
| Version | Release | End of Support | Docs Version |
|---|---|---|---|
| 7.2 | August 2021 | June 2022 | 2.0.2 (release August 2022) |
| 7.6 | August 2023 | June 2024 | 2.0.2CF1 (release January 2025) |
| 24.2 | Jan 2024 | November 2024 | |
| 24.8 | August 2024 | June 2025 | |
| 25.2 | Januar 2025 | November 2025 | |
| 25.8 | August 2025 | June 2026 |
There are already known advisories for 7.6.7: Security Advisories | LibreOffice - Free and private office suite - Based on OpenOffice - Compatible with Microsoft and these sound severe.
Regards,
Christoph
Hey Christoph,
Thank you for the feedback, all valid points! I’ve confirmed we are working on publishing documentation for upgrading LibreOffice manually and clarifying how this will be supported. For any questions or assistance on upgrading LibreOffice in the meantime, please open a support case. We’ll also continue to evaluate the version we provide, taking all these points into consideration.
Thanks,
Trevor
I did open a support caase. They point me to this discussion, without providing version guidelines for LibreOffice or Java (which LibreOffice comes with). I’ll just update both to the latest and cross my fingers nothing breaks. Doing nothing feels like running in the direction of a mile deep cliff.