The information on the latest update
In this security bulletin we bring you information on new security-related developments at Sitecore.
We are reporting a Critical vulnerability (SC2016-001-128003) for which there is a hotfix available.
We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the hotfix to all Sitecore systems.
If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.
To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:
KB0608800
Versions affected
Vulnerability SC2016-001-128003 affects the following versions:
The vulnerability is applicable to all Sitecore systems running the affected versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, and so on). It is also applicable to externally inaccessible Sitecore environments such as intranets.
The hotfix is available for all the affected Sitecore versions.
Versions not affected
For Sitecore XP 7.5—8.2, consider any of the following options to install the hotfix:
Contact Sitecore Support if you experience difficulties installing the hotfix.
The fix introduces a whitelist of .NET types that can be a part of the session state. For more details about the Sitecore session state, refer to here.
For certain customer scenarios, the whitelist needs to be fine-tuned to include the object types actively used in the session state.
The whitelist is configured via the \Website\App_Config\Include\Sitecore.SessionSerialization.config file.
Adding types
If you run a clustered environment (multiple Content Delivery instance groups in multiple locations) and have extended the session state to include custom object types, you will need to include those types in the whitelist.
Note: This does not apply to objects stored in the standard ASP.NET session state using the standard ASP.NET API.
If you do not extend the whitelist to include your custom session state types, you may receive the HTTP 400 (Bad Request) status error and an entry in the Sitecore log in the following format:
WARN Binding for type MyCustomType from assembly MyCustomAssembly is not allowed.
This message indicates that you have a type that is not currently in the <allowedTypes> node.
To remedy this issue, add your custom type to the <allowedTypes> node, following the convention of the other types defined in Sitecore.SessionSerialization.config.
If you do not run a clustered environment, you do not need to extend the whitelist. This applies even when including custom object types in the session state or using Sitecore modules.
Removing types
Due to variations in the session state types across the affected Sitecore versions, you may note entries like this in the Sitecore log files:
WARN Failed to parse type. Input string: SomeType, SomeAssembly
This message indicates that a particular type was included in the <allowedTypes> node that does not exist in your Sitecore version.
These warnings are benign, but to ensure that your log files are not polluted with an excessive amount of warnings, Sitecore recommends removing such items from the <allowedTypes> node. Sitecore has determined that this type of warnings may occur in Sitecore versions 7.5 and 8.0.
After installing the hotfix, it may be required to validate if the installation was successful.
To check if the hotfix has been properly installed, check each of your Sitecore instances for three files listed below.
If all of the files are present, the hotfix has been successfully installed.