Security Bulletin SC2017-001-170504

The information on the latest update


We have found a Critical vulnerability (2017-001-170504). There is a hotfix available.

We encourage all Sitecore customers and partners to read the information below, then apply the hotfix to all Sitecore systems.

If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.

Severity Definitions

To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the following definitions to categorize security issues: KB0608800.


Versions affected:

Vulnerability 2017-001-170504 affects all supported versions of the Sitecore Web Experience Manager and Sitecore® Experience Platform™ 6.5–8.2, and the Sitecore xDB Cloud environment. Versions after 8.2 Update-4 are not affected, and do not require a hotfix.

This vulnerability affects all of the Sitecore systems running these versions. This includes both CMS-only and xDB-enabled modes, single-instance, multi-instance environments, and all Sitecore server roles (Content Delivery, Content Management, Reporting, Processing, Publishing, and so on). It also impacts Sitecore-based intranet sites.

With the exception of Sitecore CMS 6.5, a hotfix is available for all affected versions. Sitecore xDB Cloud environments have been patched.

Due to technical limitations in providing a hotfix for Sitecore CMS 6.5, customers using that version are strongly encouraged to upgrade to Sitecore CMS 6.6, which is the earliest currently supported version of Sitecore.

Surface Area Reduction For All Sitecore Versions (6.5–8.2)

Sitecore uses a third-party dependency, Telerik, for parts of its user interface. By default, these controls are enabled in all Sitecore environments. To reduce the attack surface area of your application, Sitecore strongly recommends that all customers remove the following configuration from any Sitecore servers except Content Management, which requires these controls.

Follow these steps:

    1. Open the web.config file within your Sitecore web root.
    2. Remove the following lines from the web.config file:
<add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" />
<add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" />
<add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />
  1. Save and close the web.config file.

To confirm that you have mitigated the issue in these environments, access the following URL for your site: http://<your_hostname_here>/Telerik.Web.UI.WebResource.axd

If you receive an HTTP status code 200, the controls are still exposed and you must recheck your web.config file to ensure that the lines listed above have been removed.

If you receive an HTTP status code 404, the controls are no longer exposed. This is the desired outcome.



History of updates