The information on the latest update
We are reporting an Important vulnerability (SC2016-002-136135), for which there is a hotfix available.
We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the hotfix to all Sitecore systems.
If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.
To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues: Severity Definitions for Security Vulnerabilities.
Versions affected
Vulnerability SC2016-002-136135 affects all versions of Sitecore CMS/XP 7.2, 7.5, 8.0.x, 8.1.x, 8.2.0, and 8.2.1.
This vulnerability impacts all Sitecore systems running the above-mentioned versions. This includes CMS-only and xDB enabled modes, single-instance and multi-instance environments, and all Sitecore server roles (content delivery, content management, reporting, processing, publishing, etc). It also impacts Sitecore-based intranet sites.
A hotfix is available for all affected versions.
Versions not affected
Sitecore CMS 6.3—7.1 versions are not vulnerable. Sitecore xDB Cloud environments are not affected as appropriate fix has been implemented.
The vulnerability was fixed in Sitecore XP 8.2 Update-2.
For Sitecore CMS/XP 7.2—8.2.1, proceed as follows:
<add verb="*" path="sitecore_icon.ashx" type="Sitecore.Resources.IconRequestHandler, Sitecore.Kernel" />Replace the line above with this one:
<add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.136135" />
Note: you may not have the 'httpHandlers' node in your web.config file. It is used only if the IIS application pool of your Sitecore website is running in the Classic mode. Therefore, if there is no 'httpHandlers' node, you don't need to create it.
<add verb="*" path="sitecore_icon.ashx" type="Sitecore.Resources.IconRequestHandler, Sitecore.Kernel" name="Sitecore.IconRequestHandler" />Replace the line above with this one:
<add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.136135" name="Sitecore.Support.IconRequestHandler" />