The information on the latest update

Description

We have found a Critical vulnerability (2017-001-170504). There is a hotfix available.

We encourage all Sitecore customers and partners to read the information below, then apply the hotfix to all Sitecore systems.

If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.

Severity Definitions

To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the following definitions to categorize security issues: KB0608800.

Versions

Versions affected:

Vulnerability 2017-001-170504 affects all supported versions of the Sitecore Web Experience Manager and Sitecore® Experience Platform™ 6.5–8.2, and the Sitecore xDB Cloud environment. Versions after 8.2 Update-4 are not affected, and do not require a hotfix.

This vulnerability affects all of the Sitecore systems running these versions. This includes both CMS-only and xDB-enabled modes, single-instance, multi-instance environments, and all Sitecore server roles (Content Delivery, Content Management, Reporting, Processing, Publishing, and so on). It also impacts Sitecore-based intranet sites.

With the exception of Sitecore CMS 6.5, a hotfix is available for all affected versions. Sitecore xDB Cloud environments have been patched.

Due to technical limitations in providing a hotfix for Sitecore CMS 6.5, customers using that version are strongly encouraged to upgrade to Sitecore CMS 6.6, which is the earliest currently supported version of Sitecore.

Surface Area Reduction For All Sitecore Versions (6.5–8.2)

Sitecore uses a third-party dependency, Telerik, for parts of its user interface. By default, these controls are enabled in all Sitecore environments. To reduce the attack surface area of your application, Sitecore strongly recommends that all customers remove the following configuration from any Sitecore servers except Content Management, which requires these controls.

Follow these steps:

1. 1. Open the web.config file within your Sitecore web root.
   2. Remove the following lines from the web.config file:

<add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" />

<add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" />

<add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />

1. Save and close the web.config file.

To confirm that you have mitigated the issue in these environments, access the following URL for your site: http://<your_hostname_here>/Telerik.Web.UI.WebResource.axd

If you receive an HTTP status code 200, the controls are still exposed and you must recheck your web.config file to ensure that the lines listed above have been removed.

If you receive an HTTP status code 404, the controls are no longer exposed. This is the desired outcome.

Solution

• For Sitecore CMS 6.5:
  

  Due to the technical limitations of providing a hotfix for this Sitecore CMS version, customers are strongly encouraged to upgrade to a version of Sitecore for which a fix exists for this issue. Sitecore CMS 6.6 is the earliest version for which there is a hotfix available.

  If upgrading is not possible, you must ensure that your attack surface is reduced by following the steps in the previous section for any Sitecore servers that are exposed to the internet.

  This will still leave your Content Management system at risk. However, the risk is reduced if the Content Management environment is not exposed to the internet.

• For Sitecore Versions 6.6–8.2:
  

  Apply the following hotfix to your Content Management or Standalone server(s) to mitigate the vulnerability for Sitecore versions 6.6–8.2. Versions released after 8.2 Update-4 are not affected, and do not require this hotfix.

  
  
  1. Download the ZIP archive containing the hotfix (download only the hotfix specific to your Sitecore version):
     
     • For Sitecore version 6.6: Sitecore CMS 6.6 Security Hotfix 170504.zip
     • For Sitecore versions 7.0–8.0: Sitecore CMS 7.0-8.0 Security Hotfix 170504.zip
     • For Sitecore versions 8.1–8.2: Sitecore CMS 8.1-8.2 Security Hotfix 170504.zip
  2. Back up the following files in your Sitecore website folder:
     
     • \bin\Telerik.Web.UI.dll
     • \bin\Telerik.Web.UI.Skins.dll
     • \bin\Telerik.Web.UI.xml
     • \sitecore\shell\Controls\Rich Text Editor\RTEfixes.js
  3. Extract the contents of the archive to the Sitecore website folder.
  4. Open the web.config file within your Sitecore website root folder.
  5. Add the following lines within the <appSettings> node:

     <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
     <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR_ENCRYPTION_KEY_HERE" />
     <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />

  6. Replace the placeholder text "YOUR_ENCRYPTION_KEY_HERE" with a string of characters that will be used to secure the capabilities of Telerik controls. The string should be a set of random characters and numbers, up to a length of 256 characters. We recommend a minimum of 32 characters to be used.
  7. Inside the <assemblyBinding> node of the <runtime> section in the web.config file, add the following configuration depending upon your Sitecore version:
     
     • Sitecore 6.6

       <dependentAssembly>
             <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
             <bindingRedirect oldVersion="2012.2.607.35" newVersion="2014.1.403.35" /> 
       </dependentAssembly>

     • Sitecore 7.0–8.0

       <dependentAssembly>
             <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
             <bindingRedirect oldVersion="2012.2.607.35" newVersion="2014.1.403.45" /> 
       </dependentAssembly>

     • Sitecore 8.1–8.2

       <dependentAssembly>
             <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
             <bindingRedirect oldVersion="2015.1.401.45" newVersion="2017.2.621.45" />  
       </dependentAssembly>

  8. Save and close the web.config file.
  9. Clear the browser cache.
  10. If you have a <machineKey> node under the <system.web> section in the web.config file, generate a new Machine Key. You can use the generator in the IIS Manager application: https://blogs.msdn.microsoft.com/amb/2012/07/31/easiest-way-to-generate-machinekey.

References

• www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness (CVE-2017-9248)
• www.github.com/straightblast/UnRadAsyncUpload/wiki
• www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/unrestricted-file-upload (CVE-2014-2217, CVE-2017-11317)
• www.telerik.com/support/kb/aspnet-ajax/upload-(async)/details/allows-javascriptserializer-deserialization (CVE-2019-18935)

History of updates

• 18-Jul-2017: the hotfix for Sitecore XP 8.1–8.2 was updated. It now includes the RTEfixes.js file, which fixes some minor issues introduced by the updated assemblies. These issues do not affect the security of Telerik controls and are related to inserting and deleting hyperlinks in the Rich Text Editor fields. We recommend that you apply the newer version of the 8.1–8.2 hotfix to avoid these problems. The hotfixes for versions 6.6–8.0 were not updated and do not need to be re-applied.
• 21-Mar-2018: the wording regarding affected versions was updated. The issue has been fixed in Sitecore XP versions released after 8.2 Update-4.
• 08-Apr-2019: the wording regarding server roles was updated. The fix should be applied to Content Management or Standalone Sitecore servers.
• 06-Jun-2019: links to hotfix packages were updated. Hotfixes were not changed, there is no need to reinstall them.
• 11-Sep-2019: a link to Security Bulletins RSS Feed was added.
• 30-Sep-2019: a typo in the hotfix link was corrected.
• 28-Nov-2019: applies To field was updated.
• 12-May-2020: links to Telerik UI security vulnerabilities CVE-2014-2217, CVE-2017-11317, and CVE-2019-18935 were added to References. The issues were fixed in Telerik's public assemblies starting from 2017.2.711. Telerik provided fixes to Sitecore as custom updates for assembly versions that are compatible with Sitecore CMS/XP. This means that versions prior to the mentioned in the article Allows JavaScriptSerializer Deserialization and used in the current hotfix (and Sitecore XP 8.2 Update-5 and later) already include the solution for these issues, so they do not need to be updated.
• 29-Sep-2020: some broken links were fixed and missing CVE IDs added.
• 30-Jun-2021: updated a broken link in "Security Bulletins RSS Feed" to KB1000489, made minor changes in styling.
• 03-Aug-2021: minor change, i.e., paraphrased the 7th list item in Solution for For Sitecore Versions 6.6–8.2.
• 26-Dec-2022: minor change, i.e., updated broken links to hotfixes.