Security Bulletin SC2022-001-500712


The information on the latest update

Description

This article reports a Critical vulnerability (SC2022-001-500712) in Sitecore software for which there is a solution available.

This issue is related to a Cross Site Scripting (XSS) vulnerability which might allow authenticated Sitecore Shell users to be tricked into executing custom JS code within Sitecore Experience Platform / CMS and Sitecore Managed Cloud.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the Solution to all affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

The vulnerability impacts the following Sitecore products:

Sitecore Products  Impact 
 Sitecore Experience Platform / CMS +
 Sitecore Managed Cloud +
 Sitecore Content Hub -
 Sitecore CDP and Sitecore Personalize (formerly Boxever) -
 Sitecore OrderCloud (formerly Four51 OrderCloud) -
 Sitecore Storefront (formerly Four51 Storefront) -
 Moosend -
 Sitecore Send -
 Sitecore Discover (formerly Reflektion) -
 Sitecore Commerce Server -

"+" the vulnerability impacts the product;
"-"  the vulnerability does not impact the product.

This Security Bulletin may receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.

If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

Severity Definitions

To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.

Versions

Sitecore Experience Platform / CMS versions affected

Vulnerability SC2022-001-500712 affects the following Sitecore versions:

Sitecore Experience Platform versions not affected

The versions not mentioned in the "Sitecore Experience Platform / CMS versions affected" section are not affected by this vulnerability.

Sitecore Managed Cloud versions affected

Sitecore Managed Cloud Standard customers who run the affected Sitecore Experience Platform / CMS versions are affected.

Sitecore Managed Cloud versions not affected

Sitecore Managed Cloud Standard customers who run the versions not mentioned in the "Sitecore Experience Platform / CMS versions affected" section are not affected by this vulnerability.

Solution

To mitigate the vulnerability, it is recommended that you apply the fixes to the affected Sitecore systems. Follow the installation instructions from the readme file (when available).

Notes

For Sitecore Experience Platform 10.1 and 10.2 running in a containerized environment, the cumulative hotfix should be applied according to guidance from the linked Cumulative hotfix articles.

For Sitecore Experience Platform 10.0 running in a containerized environment, download and install the following container-specific hotfix packages:

For Sitecore Experience Platform 9.0 Update-1 and later, you can apply the following patch as a temporary solution: Sitecore.Support.500712.zip. For containerized environments, it is possible to use the COPY command to add patch files to container images. 
Note that it is strongly recommended that you apply the hotfix when possible as it includes the hotfixes and improvements available for a specific version of Sitecore Experience Platform.

For Sitecore CMS 7.2 and Sitecore XP 7.5, the patch Sitecore.Support.500712-8.1.3.0.zip can be applied as well. Sitecore would like to remind you that according to the Sitecore Product Support Lifecycle Sitecore versions 7.2 and 7.5 have entered the Sustaining Support Phase and will not be provided with security updates in the future. Sitecore highly recommends that all customers upgrade to a security supported version of Sitecore XP.

Validating Solution

After applying the fix, it may be required to validate if the installation has been successful. Depending on the applied solution, consider one of the corresponding validation procedures:

Validating the SC Hotfix package

To check if the solution has been properly installed, ensure that the Product Version property of the Website\bin\Sitecore.Client.dll file corresponds to the Hotfix number. For example, for SC Hotfix 513235-1.zip, the Sitecore.Client.dll Product Version property contains 513235:

Validating the SC Pre-release package

To check if the pre-release package (refer to KB1001300 or KB1001439) has been properly installed, ensure that the following conditions have been met:

Validating the Sitecore.Support.500712.zip package

To validate if the package has been properly installed, check the Website\bin folder for the Sitecore.Support.500712.dll file.

FAQ

Is the issue specific to the XP topology?
No. The vulnerability is applicable to Sitecore systems running the affected versions, including single-instance and multi-instance environments, and all topologies.
The fix works for all topologies.

Does the issue affect Sitecore Experience Commerce roles (Authoring, DevOps, Minions, Shops, BizFX, Identity Server)?
No, the issue does not affect Sitecore Experience Commerce roles.
However, Sitecore Experience Platform solutions with Sitecore Experience Commerce installed are impacted because the issue impacts Sitecore Experience Platform.

Does the issue affect all Sitecore Core server roles (Content Delivery, Content Editing, Reporting, Processing, EXM Dispatch)?
Yes, the issue impacts all Sitecore Core server roles.

How to apply the solution to the CD, Reporting, and Processing roles
Copy the files that were added or modified on the CM instance during the installation of the fix.
The hotfix package can be inspected as a ZIP archive.
The addedfiles and changedfiles folders include the files that should be copied to the root of the website.
Note that additional files can be generated during the .update package installation on the CM instance (for example, \App_Config\Include\DataFolder.config).
The creation of such files is mentioned in the "Analysis result" of the Sitecore update installation wizard.
These files should be copied to the CD, Reporting, and Processing roles as well.

Some of the assemblies have already been modified in my solution. Can I install the new solution on top of the existing changes?
Yes, the provided hotfixes are cumulative. Follow the link to the hotfix package to learn of the date when the hotfix was created.
Make sure you have not installed any newer hotfixes before installing this hotfix.
If in doubt, use the Sitecore Support Portal to get assistance.
As of the date of publishing of the security bulletin, all references point to the latest hotfixes for each version of Sitecore XP.

Will the Sitecore NuGet Feed be updated to include assemblies with the fix?
No, Sitecore hotfixes are not published to the Sitecore NuGet feed.
You may create a custom feed if necessary, see https://docs.microsoft.com/en-us/nuget/hosting-packages/overview.

History Of Updates