The information on the latest update
This article reports a Critical vulnerability (SC2023-002-576660) in Sitecore software for which there is a solution available.
This issue is related to remote code execution vulnerability.
We encourage Sitecore customers and partners to familiarize themselves with the information that follows and apply the Solution to all affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.
The vulnerability impacts the following Sitecore products:
* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release;
8.2 is also impacted
** Managed Cloud customers who run the affected Experience Platform versions are affected
This Security Bulletin might receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.
If you want to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.
To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.
Note that this bulletin is superseded by Security Bulletin SC2023-003-587441. If you have already applied the permanent solution from Security Bulletin SC2023-003-587441, there is no need to apply solution from the current bulletin.
To mitigate the vulnerability, it is recommended that you apply the fixes to the affected Sitecore systems depending on your deployment. Note that the fixes cover both 568150 and 576660 issues. Follow the installation instructions from the readme file (when available).
Note that the hotfix must be installed on a CM instance and then synced with other instances using standard development practices. For pre-releases, follow the guidelines from Sitecore official documentation and the related KB articles.
Use the hotfixes above to resolve the issue completely. For the partial resolution of the issue, apply the patch that follows. The patch fixes only the known attack vector. The patch can be used for all impacted product versions:
Important note: The patch logs attack cases, if any. Messages similar to the following can be found in Sitecore logs if the patch blocks the request:
{line} hh:mm:ss WARN Sitecore.Support.576660: Request processing stopped due to forbidden input. URL: {attack vector URL}
To disable attack logging, change <disableLog> to "true" inside the Sitecore.Support.576660.config patch file:
<disableLog>true</disableLog>
To avoid vulnerability impact, Sitecore strongly recommends applying hotfixes rather than installing the patch.
To verify that the fix has been applied successfully, compare the SHA256 hash of the files in the \bin folder of your website with the hash values of the files in the \bin folder of the applied fix. You can compare hash values manually or using some software tool, like WinMerge.
The SHA256 hash of the assembly can be generated using Windows PowerShell command Get-FileHash, for example, using the script sample below. Note that the following script sample is provided as a starting point only and can vary depending on your needs.
Get-FileHash -Path "path to bin folder\*.dll" -Algorithm SHA256 | Select-Object @{Name='Name';Expression={[System.IO.Path]::GetFileName($_.Path)}}, Hash
Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
Yes, the issue impacts all Sitecore XP Core server roles. Apply the solution above to different roles.
If we use Azure Marketplace to install the instance soon, for example 10.3, will it include the hotfix mentioned above or will we still need to apply it manually? Are hotfixes automatically rolled in the Azure Marketplace?
No, hotfixes aren't automatically rolled into the Azure Marketplace. Azure Marketplace supports the same versions that have been released at dev.sitecore.net. If the issue has not been fixed in the released versions, apply the above solution to your instance.
Can I install an isolated hotfix for the current issue only?
There is no isolated hotfix for the issue. All the fixes are always merged into a single cumulative hotfix. By applying the latest cumulative hotfix you ensure you do not lose any fixes that have been installed previously. To understand what fixes have been included to the cumulative hotfix, see release notes inside the package. For example, for 10.3, see the "Sitecore 10.3.x rev. xxxxxx PRE/Documentation/Sitecore.Platform.Releasenotes 10.3.x rev. xxxxxx PRE.md" file.
What can I do if the fix is shown as infected by malware?
This is a false-positive known issue in Microsoft's SharePoint. Contact Sitecore Support to resolve the issue.
How can I fix the issue for 8.2?
For 8.2.7 and earlier versions you can apply Sitecore.Support.576660 patch from the Solution section. Considering that 8.2.7 and earlier versions have entered in Sustaining Support Phase and Sitecore does not provide hotfix packages for it, Sitecore recommends upgrading to the later versions and applying the corresponding hotfix.
Is it possible to provide more information regarding the vulnerability?
No, it is not possible due to security reasons. In particular, this might lead to scenario disclosure and cause a severe impact on the customers.
Does the removal of sitecore_xaml.ashx handler from web.config and sitecore.config on CD instances mitigate the security issue?
No, these steps are not sufficient to mitigate the vulnerability. The cumulative hotfix from the Solution section must be also installed.
Does the vulnerability impact Managed Cloud subscriptions?
The vulnerability impacts both Managed Cloud Standard and Managed Cloud Premium subscriptions. Apply the solution above to mitigate the vulnerability.