The information on the latest update

Description

This article reports a Critical vulnerability (SC2023-001-568150) in Sitecore software for which there is a solution available.

This issue is related to the MVC Device Simulator vulnerability which might allow IIS Authorization Rules Bypass.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the Solution to all the affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

The vulnerability impacts the following Sitecore products:

* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release;
8.2 Update-7 and earlier versions have not been tested as per Support Lifecycle
** Managed Cloud customers who run the affected Experience Platform versions are affected

This Security Bulletin may receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.

If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.

Solution

Note that this bulletin is superseded by Security Bulletin SC2023-003-587441. If you have already applied the permanent solution from Security Bulletin SC2023-003-587441, there is no need to apply solution from the current bulletin. 

To mitigate the vulnerability, it is recommended that you apply the fixes to the affected Sitecore systems depending on your deployment. Note that the fixes cover both 568150 and 576660 issues. Follow the installation instructions from the readme file (when available).

• For on-prem and PaaS:
  
  • For 9.0 Initial Release: SC Hotfix 576689-1 for 9.0.0.zip
  • For 9.0 Update-1: SC Hotfix 576689-1 for 9.0.1.zip
  • For 9.0 Update-2: SC Hotfix 576689-1 for 9.0.2.zip
  • For 9.1 Initial Release:  download and install the cumulative hotfix from KB1001328
  • For 9.1 Update-1: download and install the cumulative hotfix from KB1001330
  • For 9.2 Initial Release:  download and install the cumulative hotfix from KB1001331
  • For 9.3 Initial Release:  download and install the cumulative hotfix from KB1001332
  • For 10.0 Initial Release:  download and install the cumulative hotfix from KB1001333
  • For 10.0 Update-1: download and apply the cumulative hotfix from KB1001334
  • For 10.0 Update-2: download and apply the cumulative hotfix from KB1001533
  • For 10.0 Update-3: download and apply the cumulative hotfix from KB1001534
  • For 10.1, download and install the corresponding cumulative hotfix available in KB1001300 (section "On top of any update" recommended)
  • For 10.2, download and install the corresponding cumulative hotfix available in KB1001439 (section "On top of any update" recommended)
  • For 10.3, download and install the corresponding cumulative hotfix available in KB1002844 (section "On top of any update" recommended)
    
    
• For containers:
  • For 10.1, 10.2 and 10.3 running in a containerized environment, the cumulative hotfix should be applied according to the guidance from the linked Cumulative hotfix articles.
  • For 10.0 running in a containerized environment, download and install the following container-specific hotfix packages:
    • For 10.0 Initial Release: SC Hotfix 576689-1 container for 10.0.0.zip
    • For 10.0 Update-1: SC Hotfix 576689-1 container for 10.0.1.zip
    • For 10.0 Update-2: SC Hotfix 576689-1 container for 10.0.2.zip
    • For 10.0 Update-3: SC Hotfix 576689-1 container for 10.0.3.zip
      
      

As an alternative, apply the below solution to the affected Sitecore systems depending on your deployment. Note that this solution covers only 568150 issue and does not cover 576660 issue.

• For on-prem and PaaS:
  1. Rename the following file to disable it, from:

     \wwwroot\App_Config\Sitecore\MVC.DeviceSimulator\Sitecore.MVC.DeviceSimulator.config

     to

     Sitecore.MVC.DeviceSimulator.config.disabled

  2. Remove or back up the following file:

     wwwroot\[instance]\bin\Sitecore.Mvc.DeviceSimulator.dll

• For containers:
  Update your runtime images for the affected Sitecore server roles by adding the following Dockerfile instructions:

  RUN rm "C:\inetpub\wwwroot\App_Config\Sitecore\MVC.DeviceSimulator\Sitecore.MVC.DeviceSimulator.config"
  RUN rm "C:\inetpub\wwwroot\bin\Sitecore.Mvc.DeviceSimulator.dll"

Note: Disabling the configuration file and removing the assembly have no impact on the MVC Device Simulator functioning. 
The functionality was used in older product versions but became obsolete.

FAQ

Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
Yes, the issue impacts all Sitecore XP Core server roles. Apply the above solution to different roles.

Do I need to disable Sitecore.MVC.DeviceSimulator.config and remove Sitecore.Mvc.DeviceSimulator.dll file when applying the hotfix?
That does not matter because the fix is installed from the hotfix package.

History Of Updates

• 28-Mar-2023: The article was created.
• 29-Mar-2023: The Solution section was updated. One of the solutions that required adding the following lines in the web.config file under </system.webServer> was removed and should not be used:
  <location path="api/sitecore/Sitecore.Mvc.DeviceSimulator.Controllers.SimulatorController,Sitecore.Mvc.DeviceSimulator.dll/Preview">
  <system.web>
  <authorization>
  <deny users="?" />
  </authorization>
  </system.web>
  </location> 
• 30-Mar-2023: Added impact details at the  end of the Solution section.
• 31-Mar-2023: Added a solution for containerized environment. Made minor styling changes in the Solution section, the table and note *. Changed "Content Editing" to "Content Management" in the FAQ section.
• 04-Apr-2023: Added a link to the Sitecore XP core roles article on doc.sitecore.com.
• 20-Apr-2023: Added fixes to the Solution section; added the question about alternative solution and hotfix compatibility; made minor changes in styling.
• 02-May-2023: Added the questions in the FAQ section about the possibility to add more details regarding the vulnerability in the article.
• 20-Jun-2023: Made minor changes in styling. Added the note about solutions from next security bulletin  Security Bulletin SC2023-003-587441.
• 03-Nov-2023: Updated broken links in the Solution section for on-prem and containers.