Security Bulletin SC2016-001-128003


The information on the latest update

Description

In this security bulletin we bring you information on new security-related developments at Sitecore.

We are reporting a Critical vulnerability (SC2016-001-128003) for which there is a hotfix available.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the hotfix to all Sitecore systems.

If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:
KB0608800

Versions

Versions affected

Vulnerability SC2016-001-128003 affects the following versions:

The vulnerability is applicable to all Sitecore systems running the affected versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, and so on). It is also applicable to externally inaccessible Sitecore environments such as intranets.

The hotfix is available for all the affected Sitecore versions.

Versions not affected

Solution

For Sitecore XP 7.5—8.2, consider any of the following options to install the hotfix:

Contact Sitecore Support if you experience difficulties installing the hotfix.

Post-Installation Steps

The fix introduces a whitelist of .NET types that can be a part of the session state. For more details about the Sitecore session state, refer to here.

For certain customer scenarios, the whitelist needs to be fine-tuned to include the object types actively used in the session state.

The whitelist is configured via the \Website\App_Config\Include\Sitecore.SessionSerialization.config file.

Adding types

Removing types

Due to variations in the session state types across the affected Sitecore versions, you may note entries like this in the Sitecore log files:

WARN  Failed to parse type. Input string: SomeType, SomeAssembly

This message indicates that a particular type was included in the <allowedTypes> node that does not exist in your Sitecore version.

These warnings are benign, but to ensure that your log files are not polluted with an excessive amount of warnings, Sitecore recommends removing such items from the <allowedTypes> node. Sitecore has determined that this type of warnings may occur in Sitecore versions 7.5 and 8.0.

Validating The Fix

After installing the hotfix, it may be required to validate if the installation was successful.

To check if the hotfix has been properly installed, check each of your Sitecore instances for three files listed below.

If all of the files are present, the hotfix has been successfully installed.

History of updates