The information on the latest update

Description

We are reporting an Important vulnerability (SC2016-002-136135), for which there is a hotfix available.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the hotfix to all Sitecore systems.

If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues: Severity Definitions for Security Vulnerabilities.

Versions

Versions affected

Vulnerability SC2016-002-136135 affects all versions of Sitecore CMS/XP 7.2, 7.5, 8.0.x, 8.1.x, 8.2.0, and 8.2.1.

This vulnerability impacts all Sitecore systems running the above-mentioned versions. This includes CMS-only and xDB enabled modes, single-instance and multi-instance environments, and all Sitecore server roles (content delivery, content management, reporting, processing, publishing, etc). It also impacts Sitecore-based intranet sites.

A hotfix is available for all affected versions.

Versions not affected

Sitecore CMS 6.3—7.1 versions are not vulnerable. Sitecore xDB Cloud environments are not affected as appropriate fix has been implemented.

The vulnerability was fixed in Sitecore XP 8.2 Update-2.

Solution

For Sitecore CMS/XP 7.2—8.2.1, proceed as follows:

1. Download the ZIP archive with the hotfix from here.
2. Extract the contents of the archive.
3. On every Sitecore instance perform the following actions:
   
   • Copy the contents of the extracted archive to the /Website folder.
   • Edit the web.config file and locate this line within the "/configuration/system.web/httpHandlers" node:

     <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Resources.IconRequestHandler, Sitecore.Kernel" />

     Replace the line above with this one:

     <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.136135" />

     Note: you may not have the 'httpHandlers' node in your web.config file. It is used only if the IIS application pool of your Sitecore website is running in the Classic mode. Therefore, if there is no 'httpHandlers' node, you don't need to create it.

   • Edit the web.config file and locate this line within the "/configuration/system.webServer/handlers" node:

     <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Resources.IconRequestHandler, Sitecore.Kernel" name="Sitecore.IconRequestHandler" />

     Replace the line above with this one:

     <add verb="*" path="sitecore_icon.ashx" type="Sitecore.Support.Resources.IconRequestHandler, Sitecore.Support.136135" name="Sitecore.Support.IconRequestHandler" />

History of updates

• 06-Dec-2016: added a note about the "httpHandlers" node.
• 14-Dec-2016: removed xDB Cloud environments from the affected list, added a note that xDB Cloud environments were patched.
• 28-Apr-2017: added the information that the issue has been fixed in 8.2.2.
• 11-Mar-2021: added "Fixed in" and updated "Applies to".
• 11-Sep-2019: a link to Security Bulletins RSS Feed was added.
• 20-Sep-2019: hotfix download link was updated. The hotfix itself was not changed.
• 01-Jul-2021: changed a broken link in "Security Bulletins RSS Feed" to KB1000489, and made minor changes in styling.
• 23-Dec-2022: updated the link to the zip file in the solution.