We have found a Critical vulnerability (2017-001-170504). There is a hotfix available.
We encourage all Sitecore customers and partners to read the information below, then apply the hotfix to all Sitecore systems.
If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.
To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the following definitions to categorize security issues: KB0608800.
Vulnerability 2017-001-170504 affects all supported versions of the Sitecore Web Experience Manager and Sitecore® Experience Platform™ 6.5–8.2, and the Sitecore xDB Cloud environment. Versions after 8.2 Update-4 are not affected, and do not require a hotfix.
This vulnerability affects all of the Sitecore systems running these versions. This includes both CMS-only and xDB-enabled modes, single-instance, multi-instance environments, and all Sitecore server roles (Content Delivery, Content Management, Reporting, Processing, Publishing, and so on). It also impacts Sitecore-based intranet sites.
With the exception of Sitecore CMS 6.5, a hotfix is available for all affected versions. Sitecore xDB Cloud environments have been patched.
Due to technical limitations in providing a hotfix for Sitecore CMS 6.5, customers using that version are strongly encouraged to upgrade to Sitecore CMS 6.6, which is the earliest currently supported version of Sitecore.
Sitecore uses a third-party dependency, Telerik, for parts of its user interface. By default, these controls are enabled in all Sitecore environments. To reduce the attack surface area of your application, Sitecore strongly recommends that all customers remove the following configuration from any Sitecore servers except Content Management, which requires these controls.
Follow these steps:
<add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" />
<add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" />
<add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />
To confirm that you have mitigated the issue in these environments, access the following URL for your site: http://<your_hostname_here>/Telerik.Web.UI.WebResource.axd
If you receive an HTTP status code 200, the controls are still exposed and you must recheck your web.config file to ensure that the lines listed above have been removed.
If you receive an HTTP status code 404, the controls are no longer exposed. This is the desired outcome.
Due to the technical limitations of providing a hotfix for this Sitecore CMS version, customers are strongly encouraged to upgrade to a version of Sitecore for which a fix exists for this issue. Sitecore CMS 6.6 is the earliest version for which there is a hotfix available.
If upgrading is not possible, you must ensure that your attack surface is reduced by following the steps in the previous section for any Sitecore servers that are exposed to the internet.
This will still leave your Content Management system at risk. However, the risk is reduced if the Content Management environment is not exposed to the internet.
Apply the following hotfix to your Content Management or Standalone server(s) to mitigate the vulnerability for Sitecore versions 6.6–8.2. Versions released after 8.2 Update-4 are not affected, and do not require this hotfix.
<add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" /> <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR_ENCRYPTION_KEY_HERE" /> <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
<dependentAssembly> <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" /> <bindingRedirect oldVersion="2012.2.607.35" newVersion="2014.1.403.35" /> </dependentAssembly>
<dependentAssembly> <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" /> <bindingRedirect oldVersion="2012.2.607.35" newVersion="2014.1.403.45" /> </dependentAssembly>
<dependentAssembly> <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" /> <bindingRedirect oldVersion="2015.1.401.45" newVersion="2017.2.621.45" /> </dependentAssembly>