Security Bulletin SC2021-001-475944


The information on the latest update

Description

This article reports Critical vulnerability (SC2021-001-475944) in Sitecore software, for which there is a solution available.

This issue is related to a remote code execution vulnerability in System.Text.Encodings.Web.dll: CVE-2021-26701.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.

Versions

Versions affected

Vulnerability SC2021-001-475944 affects the following Sitecore XP versions:

This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, and so on).

It also affects the following Sitecore Commerce versions:

Additionally, some standalone services are affected:

A solution is available for the affected versions.

Important notes:

Versions not affected

The following Sitecore XP versions are not affected by this vulnerability:

Versions of Sitecore Commerce and other modules not mentioned in the "Versions affected" section are not affected by this vulnerability.

Solution

In order to fix this vulnerability, replace System.Text.Encodings.Web.dll and apply binding redirects if necessary.
The Sitecore versions 9.0 Update-1 – 10.1 Initial Release (except 10.0 Update-2) must be updated.

For On-Premise solutions, upgrades mentioned in the "How do I fix the issue" section of CVE-2021-26701 must be installed on all machines.

Note: For Sitecore XP 10.1 Initial Release it is strongly recommended to upgrade to Sitecore XP 10.1 Update-1. A possible alternative is to upgrade the System.Text.Encodings.Web assembly. However, in this case, it should be upgraded to 4.7.2 while other affected Sitecore XP versions require an upgrade of this assembly to 4.5.1.

The new System.Text.Encodings.Web package can be found here: 4.5.1 and 4.7.2.


Use the table below to update components of XP1 topology if they are in use and if System.Text.Encodings.Web.dll is present in the provided "Location path".

Role name Assembly version Location path Configuration path

 CM

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 CD

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 Processing

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 Reporting

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 MA

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 MA Engine

4.5.1 / 4.7.2

 wwwroot\instance}\App_data\jobs\
continuous\ AutomationEngine\

 {Location path}\
Sitecore.MAEngine.exe.config

  or

 {Location path}\maengine.exe.config

 MA Reporting

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 Collection

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 Cortex Processing

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 Cortext Processing Engine

4.5.1 / 4.7.2

 wwwroot\{instance}\App_Data\jobs\
continuous\ ProcessingEngine

 {Location path}\
Sitecore.ProcessingEngine.exe.config

 Cortex Reporting

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 Collection Search

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 Index Worker

4.5.1 / 4.7.2

 wwwroot\instance}\App_data\jobs\
continuous\IndexWorker\

{Location path}\
Sitecore.XConnectSearchIndexer.exe.config

 RefData

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 {Location path}\Web.config

 

Use the table below to update components of XP0 topology if they are in use and if System.Text.Encodings.Web.dll is present in the provided "Location path".

 

Role name Assembly version Location path Configuration path

 CM/CD

4.5.1 / 4.7.2

 wwwroot\{instance}\bin\

 wwwroot\{instance}\Web.config

 Collection MA

4.5.1 / 4.7.2

 wwwroot\{collection instance}\App_Data\jobs\ continuous\AutomationEngine\

 {Location path}\
Sitecore.MAEngine.exe.config

  or

 {Location path}\maengine.exe.config

 Collection Index Worker

4.5.1 / 4.7.2

 wwwroot\{collection instance}\App_Data\jobs\ continuous\IndexWorker\

 {Location path}\
Sitecore.XConnectSearchIndexer.exe.config

 ProcessingEngine

4.5.1 / 4.7.2

 wwwroot\{collection instance}\App_Data\jobs\ continuous\ProcessingEngine\

 {Location path}\
Sitecore.ProcessingEngine.exe.config

 Collection

4.5.1 / 4.7.2

 wwwroot\{collection instance}\bin\

 wwwroot\{collection instance}\Web.config


Vulnerable System.Text.Encodings.Web.dll assembly can be found under the "tools" and "collectiondeployment" folders for the Search and Collection xConnect roles. This tool is executed one time during the Sitecore XP deployment and is not part of the Sitecore XP execution code. So, it is safe to keep them as is or it is possible to remove both folders or update the assembly version to 4.7.2.

Note: The versions used in the binding redirects below are correct even though they differ from 4.5.1 / 4.7.2 mentioned in this article and NuGet Gallery.
The versions below represent the AssemblyVersion attribute of "System.Text.Encodings.Web".

Update the file referenced in the "Configuration path" column with the next assembly binding for 4.5.1 version:

<dependentAssembly>
   <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
   <bindingRedirect oldVersion="0.0.0.0-4.0.3.1" newVersion="4.0.3.1" />
</dependentAssembly>

For Sitecore XP 10.1 Initial Release, update the file referenced in the "Configuration path" column with the next assembly binding for 4.7.2 version:

<dependentAssembly>
   <assemblyIdentity name="System.Text.Encodings.Web" publicKeyToken="cc7b13ffcd2ddd51" culture="neutral" />
   <bindingRedirect oldVersion="0.0.0.0-4.0.5.1" newVersion="4.0.5.1" />
</dependentAssembly>

 

Updating Sitecore Experience Commerce

Rebuild the Commerce engine SDK and republish all the engine instances by following the below steps:

  1. Open the "Sitecore.Commerce.Engine" project of the Commerce engine SDK in Visual Studio.

  2. Use NuGet Package Manager to add a reference to "System.Text.Encodings.Web" 4.5.1 to the project.

  3. Build the Engine solution and make sure the correct version of the "System.Text.Encodings.Web" is present in the build output folders.

  4. Publish the engine and replace your existing instances.

Sitecore Experience Commerce 9.0 Initial Release, Update-1, Update-2 and Update-3 versions also contain earlier versions of Sitecore Identity (1.0 to 1.4). Its binaries contain the affected version of "System.Text.Encodings.Web.dll".

In order to resolve the vulnerability, Sitecore Identity Server SDK has to be built and published:

  1. Open the "Sitecore.IdentityServer" project of the Sitecore Identity Server SDK in Visual Studio.

  2. Use NuGet Package Manager to add a reference to "System.Text.Encodings.Web" 4.5.1 to the project.

  3. Build the Identity Server solution and make sure the correct version of the "System.Text.Encodings.Web" is present in the build output folders.

  4. Publish the Identity Server and replace your existing instance.

More information about Sitecore Identity Server SDK can be found here.

 

Updating Sitecore Identity and Sitecore Horizon Standalone Services

Some services have their own lifecycle, and it requires another version of  System.Text.Encodings.Web.dll. Replace the library in a root folder of the instance.

The versions mentioned in the table below must be updated:

Product name

Assembly version

Location path

 Sitecore Identity 2.0.0-4.0.0

4.5.1

 wwwroot\{instance}\ 

 Sitecore Identity 5.0.0

4.5.1

 wwwroot\{instance}\refs\

 Sitecore Identity 5.1.0

4.7.2

 wwwroot\{instance}\

 Sitecore Horizon 9.3.0

4.5.1

 wwwroot\{instance}\

 Sitecore Horizon 10.1.0

4.7.2

 wwwroot\{instance}\

 

Use the .netstandart2.0 4.5.14.7.2 version from System.Text.Encodings.Web package.

 

Updating Sitecore Publishing Service Standalone Service

The resolution step differs slightly depending on the version of the Publishing Service that is used in the solution:

 

History of updates