The information on the latest update
This article describes a solution for a Medium vulnerability (SC2021-002-486210) reported by Microsoft in Security vulnerability CVE-2020-1045 affecting Microsot.OWIN.
The Security bypass was found in Microsoft.Owin.dll assembly 4.1.0 and earlier versions. For more details, refer to here.
We encourage Sitecore customers and partners to familiarize themselves with the information that follows and apply the fix to all affected Sitecore systems.
If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.
To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.
Versions affected
Vulnerability SC2021-002-486210 affects the following versions of Sitecore Experience Platform:
Versions not affected
Versions of Sitecore Experience Platform not mentioned in the "Versions affected" section are not affected by this vulnerability.
To resolve the vulnerability in the affected Sitecore Experience Platform deployment, it is required to update Microsoft.Owin.dll to version 4.1.1, and apply binding redirects if necessary.
Use the table below to update components of XP1 topology if they are in use.
| SC Versions | Role/Job | Location path | Configuration path |
|---|---|---|---|
|
10.0.0- 10.1.x |
Job: MA Engine |
wwroot\{instance}\App_data\ jobs\continuous\AutomationEngine\ |
{Location path}\ Sitecore.MAEngine.exe.config or {Location path}\maengine.exe.config |
|
10.0.0- 10.1.x |
Job: IndexWorker |
wwwroot\{instance}\App_data\ jobs\continuous\IndexWorker\ |
{Location path}\ Sitecore.XConnectSearchIndexer.exe.config |
|
10.0.0- 10.1.x |
Job: ProcessingEngine |
wwwroot\{instance}\App_Data\ jobs\continuous\ProcessingEngine\ |
{Location path}\ Sitecore.ProcessingEngine.exe.config |
|
9.0.0- 10.1.x |
CM | wwwroot\{instance}\bin\ | wwwroot\{instance}\Web.config |
|
9.0.0- 10.1.x |
CD | wwwroot\{instance}\bin\ | wwwroot\{instance}\Web.config |
|
9.0.0- 10.1.x |
Processing | wwwroot\{instance}\bin\ | wwwroot\{instance}\Web.config |
|
9.0.0- 10.1.x |
Reporting | wwwroot\{instance}\bin\ | wwwroot\{instance}\Web.config |
Use the table below to update components of XP0 topology if they are in use.
| SC Versions | Role/Job | Location path | Configuration path |
|---|---|---|---|
|
10.0.0- 10.1.x |
Job: MA Engine |
wwwroot\{collection instance}\App_Data\jobs\ continuous\AutomationEngine\ |
{Location path}\ Sitecore.MAEngine.exe.config or {Location path}\maengine.exe.config |
|
10.0.0- 10.1.x |
Job: IndexWorker |
wwwroot\{collection instance}\App_Data\jobs\ continuous\IndexWorker\ |
{Location path}\ Sitecore.XConnectSearchIndexer.exe.config |
|
10.0.0- 10.1.x |
Job: ProcessingEngine |
wwwroot\{collection instance}\App_Data\jobs\ continuous\ProcessingEngine |
{Location path}\ Sitecore.ProcessingEngine.exe.config |
|
9.0.0- 10.1.x |
CM/CD | wwwroot\{instance}\bin\ | wwwroot\{instance}\Web.config |
|
10.0.0- 10.1.x |
Collection Deployment |
wwwroot\{collection instance}\App_Data\ collectiondeployment\ |
wwwroot\{collection instance}\Web.config |
Add or update binding redirects with the new library.
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Microsoft.Owin" publicKeyToken="31bf3856ad364e35" culture="neutral" />
<bindingRedirect oldVersion="0.0.0.0-4.1.1.0" newVersion="4.1.1.0" />
</dependentAssembly>
</assemblyBinding>