The information on the latest update

Description

This article reports Critical vulnerability (SC2021-001-475944) in Sitecore software, for which there is a solution available.

This issue is related to a remote code execution vulnerability in System.Text.Encodings.Web.dll: CVE-2021-26701.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.

Versions

Versions affected

Vulnerability SC2021-001-475944 affects the following Sitecore XP versions:

• Sitecore XP 9.0 Update-1
• Sitecore XP 9.0 Update-2
• Sitecore XP 9.1 Initial Release
• Sitecore XP 9.1 Update-1
• Sitecore XP 9.2 Initial Release
• Sitecore XP 9.3 Initial Release
• Sitecore XP 10.0 Initial Release
• Sitecore XP 10.0 Update-1
• Sitecore XP 10.1 Initial Release

This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, and so on).

It also affects the following Sitecore Commerce versions:

• Sitecore Commerce 8.2.1 Initial Release
• Sitecore Commerce 8.2.1 Update-1
• Sitecore Commerce 8.2.1 Update-2
• Sitecore Commerce 8.2.1 Update-3
• Sitecore Experience Commerce 9.0 Initial Release
• Sitecore Experience Commerce 9.0 Update-1
• Sitecore Experience Commerce 9.0 Update-2
• Sitecore Experience Commerce 9.0 Update-3
• Sitecore Experience Commerce 9.1 Initial Release
• Sitecore Experience Commerce 9.2 Initial Release
• Sitecore Experience Commerce 9.3 Initial Release
• Sitecore Identity provided with Sitecore Experience Commerce 9.0 (versions from 1.0 to 1.4)

Additionally, some standalone services are affected:

• Sitecore Identity (versions from 2.0.0 to 6.0.0)
• Sitecore Horizon (versions 9.3.0 Initial Release and 10.1.0)
• Sitecore Publishing Service (versions from 1.1 Initial Release to 5.0.0)

A solution is available for the affected versions.

Important notes:

• To resolve the vulnerability for Sitecore 10.1 Initial Release running in a containerized environment, update the solution to Sitecore 10.1 Update-1.
• To resolve the vulnerability for Sitecore 10.0 Initial Release or Sitecore 10.0 Update-1 running in a containerized environment, update the solution to Sitecore 10.0 Update-2.
• If the Sitecore Publishing Service version prior to 4.0.0 is used in your solution, contact Sitecore Support to get a compatible solution.

Versions not affected

The following Sitecore XP versions are not affected by this vulnerability:

• Sitecore XP versions 9.0 Initial Release and earlier.
• Sitecore XP versions 10.0 Update-2 and later.
• Sitecore XP versions 10.1 Update-1 and later.

Versions of Sitecore Commerce and other modules not mentioned in the "Versions affected" section are not affected by this vulnerability.

Solution

In order to fix this vulnerability, replace System.Text.Encodings.Web.dll and apply binding redirects if necessary.
The Sitecore versions 9.0 Update-1 – 10.1 Initial Release (except 10.0 Update-2) must be updated.

For On-Premise solutions, upgrades mentioned in the "How do I fix the issue" section of CVE-2021-26701 must be installed on all machines.

Note: For Sitecore XP 10.1 Initial Release it is strongly recommended to upgrade to Sitecore XP 10.1 Update-1. A possible alternative is to upgrade the System.Text.Encodings.Web assembly. However, in this case, it should be upgraded to 4.7.2 while other affected Sitecore XP versions require an upgrade of this assembly to 4.5.1.

The new System.Text.Encodings.Web package can be found here: 4.5.1 and 4.7.2.

Use the table below to update components of XP1 topology if they are in use and if System.Text.Encodings.Web.dll is present in the provided "Location path".

Role name	Assembly version	Location path	Configuration path
CM	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
CD	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
Processing	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
Reporting	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
MA	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
MA Engine	4.5.1 / 4.7.2	wwwroot\instance}\App_data\jobs\ continuous\ AutomationEngine\	{Location path}\ Sitecore.MAEngine.exe.config   or  {Location path}\maengine.exe.config
MA Reporting	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
Collection	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
Cortex Processing	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
Cortext Processing Engine	4.5.1 / 4.7.2	wwwroot\{instance}\App_Data\jobs\ continuous\ ProcessingEngine	{Location path}\ Sitecore.ProcessingEngine.exe.config
Cortex Reporting	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
Collection Search	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
Index Worker	4.5.1 / 4.7.2	wwwroot\instance}\App_data\jobs\ continuous\IndexWorker\	{Location path}\ Sitecore.XConnectSearchIndexer.exe.config
RefData	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	{Location path}\Web.config

 

Use the table below to update components of XP0 topology if they are in use and if System.Text.Encodings.Web.dll is present in the provided "Location path".

 

Role name	Assembly version	Location path	Configuration path
CM/CD	4.5.1 / 4.7.2	wwwroot\{instance}\bin\	wwwroot\{instance}\Web.config
Collection MA	4.5.1 / 4.7.2	wwwroot\{collection instance}\App_Data\jobs\ continuous\AutomationEngine\	{Location path}\ Sitecore.MAEngine.exe.config   or  {Location path}\maengine.exe.config
Collection Index Worker	4.5.1 / 4.7.2	wwwroot\{collection instance}\App_Data\jobs\ continuous\IndexWorker\	{Location path}\ Sitecore.XConnectSearchIndexer.exe.config
ProcessingEngine	4.5.1 / 4.7.2	wwwroot\{collection instance}\App_Data\jobs\ continuous\ProcessingEngine\	{Location path}\ Sitecore.ProcessingEngine.exe.config
Collection	4.5.1 / 4.7.2	wwwroot\{collection instance}\bin\	wwwroot\{collection instance}\Web.config

Vulnerable System.Text.Encodings.Web.dll assembly can be found under the "tools" and "collectiondeployment" folders for the Search and Collection xConnect roles. This tool is executed one time during the Sitecore XP deployment and is not part of the Sitecore XP execution code. So, it is safe to keep them as is or it is possible to remove both folders or update the assembly version to 4.7.2.

Note: The versions used in the binding redirects below are correct even though they differ from 4.5.1 / 4.7.2 mentioned in this article and NuGet Gallery.
The versions below represent the AssemblyVersion attribute of "System.Text.Encodings.Web".

Update the file referenced in the "Configuration path" column with the next assembly binding for 4.5.1 version:

<dependentAssembly>
   <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
   <bindingRedirect oldVersion="0.0.0.0-4.0.3.1" newVersion="4.0.3.1" />
</dependentAssembly>

For Sitecore XP 10.1 Initial Release, update the file referenced in the "Configuration path" column with the next assembly binding for 4.7.2 version:

<dependentAssembly>
   <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
   <bindingRedirect oldVersion="0.0.0.0-4.0.5.1" newVersion="4.0.5.1" />
</dependentAssembly> 

 

Updating Sitecore Experience Commerce

Rebuild the Commerce engine SDK and republish all the engine instances by following the below steps:

1. Open the "Sitecore.Commerce.Engine" project of the Commerce engine SDK in Visual Studio.
   
   
2. Use NuGet Package Manager to add a reference to "System.Text.Encodings.Web" 4.5.1 to the project.
   
   
3. Build the Engine solution and make sure the correct version of the "System.Text.Encodings.Web" is present in the build output folders.
   
   
4. Publish the engine and replace your existing instances.

Sitecore Experience Commerce 9.0 Initial Release, Update-1, Update-2 and Update-3 versions also contain earlier versions of Sitecore Identity (1.0 to 1.4). Its binaries contain the affected version of "System.Text.Encodings.Web.dll".

In order to resolve the vulnerability, Sitecore Identity Server SDK has to be built and published:

1. Open the "Sitecore.IdentityServer" project of the Sitecore Identity Server SDK in Visual Studio.
   
   
2. Use NuGet Package Manager to add a reference to "System.Text.Encodings.Web" 4.5.1 to the project.
   
   
3. Build the Identity Server solution and make sure the correct version of the "System.Text.Encodings.Web" is present in the build output folders.
   
   
4. Publish the Identity Server and replace your existing instance.

More information about Sitecore Identity Server SDK can be found here.

 

Updating Sitecore Identity and Sitecore Horizon Standalone Services

Some services have their own lifecycle, and it requires another version of  System.Text.Encodings.Web.dll. Replace the library in a root folder of the instance.

The versions mentioned in the table below must be updated:

Product name	Assembly version	Location path
Sitecore Identity 2.0.0-4.0.0	4.5.1	wwwroot\{instance}\
Sitecore Identity 5.0.0	4.5.1	wwwroot\{instance}\refs\
Sitecore Identity 5.1.0	4.7.2	wwwroot\{instance}\
Sitecore Identity 6.0.0	4.7.2	wwwroot\{instance}\refs\
Sitecore Horizon 9.3.0	4.5.1	wwwroot\{instance}\
Sitecore Horizon 10.1.0	4.7.2	wwwroot\{instance}\

 

Use the .netstandart2.0 4.5.1 / 4.7.2 version from System.Text.Encodings.Web package.

 

Updating Sitecore Publishing Service Standalone Service

The resolution step differs slightly depending on the version of the Publishing Service that is used in the solution:

• For Sitecore Publishing Service 5.0.0, replace the library in the root folder of the instance.
  

  Use the .netstandart2.0 4.7.2 version from System.Text.Encodings.Web package.

  Then, add a binding redirect into the Sitecore.Framework.Publishing.Host.exe.config file:

  <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
   <dependentAssembly>
     <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
     <bindingRedirect oldVersion="0.0.0.0-4.0.5.1" newVersion="4.0.5.1" />
   </dependentAssembly>
  </assemblyBinding>

• For Sitecore Publishing Service 4.1.0-4.3.0, install the following hotfix (note that it will update your Publishing Service instance to 4.3.0):
  

  SC Hotfix 475947-1.zip

• For Sitecore Publishing Service 4.0.0, apply the following steps:
  
  
  • Install the following hotfix (note that it will update your Publishing Service instance to 4.3.0):
    SC Hotfix 475947-1.zip
    
    
  • Install Sitecore Publishing Service Module 9.1.0 or Sitecore Publishing Service Module 9.1.1 (depending on your Sitecore XP version).
    
    
  • If SXA is installed in your solution, apply the hotfix from the following article: System.IO.FileNotFoundException thrown when publishing SXA sites 
    
    
• For all releases of Sitecore Publishing Service 2.2 and Sitecore Publishing Service 3.1, replace the library in a root folder of the instance and replace the existing binding redirects for "System.Text.Encodings.Web" with the following one.
  

  Use the .netstandart2.0 4.5.1 version from System.Text.Encodings.Web package.

  Then, replace the existing binding redirects with the following one in the Sitecore.Framework.Publishing.Host.exe.config file:

  <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
   <dependentAssembly>
     <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
     <bindingRedirect oldVersion="0.0.0.0-4.0.3.1" newVersion="4.0.3.1" />
    </dependentAssembly>
  </assemblyBinding> 

• For Sitecore Publishing Service version prior to 2.2 Initial Release and prior to 3.1 Initial Release, contact Sitecore Support to get a compatible solution.

 

History of updates

• 21-Jun-2021: The assembly version was corrected to 4.7.2 for Sitecore XP 10.1 Initial Release.
• 22-Jun-2021: The severity was set to "Critical". A note that the AssemblyVersion attribute differs from the marketing package version was added.
• 23-Jun-2021: Affected Sitecore Commerce versions and the solution for them has been added. The package version references have been updated for Sitecore Identity and Horizon.
• 24-Jun-2021: Steps related to Sitecore Commerce were updated. A note regarding Search and Collection xConnect roles was added.
• 25-Jun-2021: Specified upgrade to Sitecore XP 10.1 Update-1 as a priority solution for Sitecore XP 10.1 Initial Release and made minor changes in styling.
• 30-Jun-2021: Added a solution for Sitecore Publishing Service 4.0.0. Updated affected Sitecore Experience Commerce versions. Added the "Configuration path" column for Sitecore roles and updated the instructions accordingly. The Collection Deployment role has been removed from the tables. Added solution for Sitecore Identity provided with Sitecore Experience Commerce 9.0.x.
• 30-Jun-2021: Made minor changes in styling.
• 01-Jul-2021: Added a clarification that System.Text.Encodings.Web.dll should be replaced only if it is present in the provided "Location path".
• 05-Jul-2021: Added a note that Sitecore XP 10.0 Initial Release and 10.0 Update-1 running in a containerized environment must be upgraded to 10.0 Update-2 in order to resolve the issue. Added a notion about the required upgrades for On-Premise solutions.
• 06-Jul-2021: Added a notion to "Versions not affected" that the issue is resolved in Sitecore XP 10.0 Update-2 and 10.1 Update-1. Modified the resolution steps for Sitecore Identity Server provided with Sitecore Experience Commerce 9.0.x.
• 13-Jul-2021: Updated the history record from the 5th of July specifying that upgrade suggestion is related to containerized solutions.
• 20-Jul-2021: Explicitly specified that Sitecore Commerce versions not mentioned in the "Versions affected" are not vulnerable.
• 21-Jul-2021: Added resolution steps for Sitecore Publishing Service 2.2 Update-1 and Sitecore Publishing Service 3.1 Update-4.
• 27-Jul-2021: General solution for all releases of Sitecore Publishing Service 2.2 and Sitecore Publishing Service 3.1 has been introduced.
• 17-Sep-2021: Made minor changes in styling.
• 15-Apr-2022: Removed binding redirects for Sitecore Identity Server.
• 17-Oct-2023: updated broken links for Sitecore Publishing Service 4.1.0-4.3.0 and Sitecore Publishing Service 4.0.0 hotfixes resulted from hotfixes storage migration.