This security bulletin SC2023-003-587441 addresses Critical (582720) and High (584731) severity vulnerabilities in Sitecore software. Successful exploitation of the related vulnerabilities might lead to remote code execution vulnerability and non-authorized access to information.
We encourage Sitecore customers and partners to familiarize themselves with the information that follows and apply the Solution to all affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.
The vulnerability impacts the following Sitecore products:
Sitecore Products | Impact |
Experience Manager (XM) | Impacted* |
Experience Platform (XP) | |
Experience Commerce (XC) | |
Managed Cloud | Impacted** |
XM Cloud | Not impacted |
Content Hub | Not impacted |
CDP and Personalize (formerly Boxever) | Not impacted |
OrderCloud (formerly Four51 OrderCloud) | Not impacted |
Storefront (formerly Four51 Storefront) | Not impacted |
Moosend | Not impacted |
Send | Not impacted |
Discover (formerly Reflektion) | Not impacted |
Commerce Server | Not impacted |
* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted.
** Managed Cloud customers who run the affected Experience Platform versions are affected
This Security Bulletin might receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.
If you want to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.
To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the definitions from the Severity Definitions for Security Vulnerabilities to report security issues.
To mitigate the vulnerability, it is recommended that you apply the fixes to the affected Sitecore systems depending on your deployment. Follow the installation instructions from the readme file (when available).
Note that the hotfix must be installed on a CM instance and then synced with other instances using standard development practices. For pre-releases, follow the guidelines from Sitecore official documentation and the related KB articles.
Sitecore strongly recommends you to install the appropriate fix from the Permanent Solution section at the earliest opportunity. If it is not possible to apply permanent fixes quickly, the following temporary solution can be used as well:
\website root\sitecore modules\Web\ExperienceExplorer\Dialogs\SelectUser.xaml.xml
Apply the following patch to all Sitecore roles, for all impacted product versions.
Note that below patch file Sitecore.Support.576660 is identical to the one provided in Security Bulletin SC2023-002-576660. If you have already applied it as a partial solution for Security Bulletin SC2023-002-576660, there is no need to apply it again.
Important notes: Temporary solution might be faster to apply to complex Sitecore XP environments, however, it includes a side effect, such as impossibility to select a user in the Associated Sitecore User dialog window when creating an Explore mode preset, but you are still able to insert the user name directly in the field. Also, the temporary solution only partially fixes the remote code execution issue, although addressing all of the primary potential attack vectors.
To verify that the fix has been applied successfully, compare the SHA256 hash of the files in the \bin folder of your website with the hash values of the files in the \bin folder of the applied fix. You can compare hash values manually or using some software tool, like WinMerge.
The SHA256 hash of the assembly can be generated using Windows PowerShell command Get-FileHash, for example, using the script sample below. Note that the following script sample is provided as a starting point only and can vary depending on your needs.
Get-FileHash -Path "path to bin folder\*.dll" -Algorithm SHA256 | Select-Object @{Name='Name';Expression={[System.IO.Path]::GetFileName($_.Path)}}, Hash
Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
Yes, the issue impacts all Sitecore XP Core server roles. Apply the solution above to different roles.
If we use Azure Marketplace to install the instance soon, for example 10.3, will it include the hotfix mentioned above or will we still need to apply it manually? Are hotfixes automatically rolled in the Azure Marketplace?
No, hotfixes aren't automatically rolled into the Azure Marketplace. Azure Marketplace supports the same versions that have been released at dev.sitecore.net. If the issue has not been fixed in the released versions, apply the above solution to your instance.
Errors like "Calling Namespace.Class.Method method through reflection is not allowed" are thrown when installing the hotfix from Solution. How can I fix it and what is the reason?
Hotfixes might add additional security layer that prevent execution of unexpected methods through reflection. You can add the method you can't call to the whitelist for invocation in the "Sitecore.Reflection.Filtering.config" file. Consider one of the following methods:
<allowedMethods>
<descriptor type="SampleNameSpace.MyClass" methodName="MyMethod" assemblyName="MyAssembly"/>
</allowedMethods>
<allowedPatterns>where the "value" is a regular expression matched against the method name string in the format "NameSpace.Class.Method,AssemblyName". If a method passed by a pattern rule a warning is logged. This warning is logged once per method.
<pattern value="^Sitecore\..*,Sitecore\..*$"/>
</allowedPatterns>
Notes:
The error might occur if the mentioned method was added to a blacklist with methods forbidden to call in the "Sitecore.Reflection.Filtering.config" file:
<forbiddenMethods>
<descriptor type="SampleNameSpace.MyClass" methodName="MyMethod" assemblyName="MyAssembly"/>
</forbiddenMethods>
Can I install a non-cumulative hotfix that addresses only the current issue?
There is no non-cumulative hotfix for the issue. All the fixes are always merged into a single cumulative hotfix. By applying the latest cumulative hotfix you ensure you do not lose any fixes that have been installed previously. To understand what fixes have been included to the cumulative hotfix, see release notes inside the package. For example, for 10.3, see the "Sitecore 10.3.x rev. xxxxxx PRE/Documentation/Sitecore.Platform.Releasenotes 10.3.x rev. xxxxxx PRE.md" file.
What can I do if the fix is shown as infected by malware?
This is a false-positive known issue in Microsoft's SharePoint. Contact Sitecore Support to resolve the issue.
How can I fix the issue for 8.2?
For 8.2.7 and earlier versions you can apply steps from the Temporary Solution section. Considering that 8.2.7 and earlier versions have entered in Sustaining Support Phase and Sitecore does not provide hotfix packages for it, Sitecore recommends upgrading to the later versions and applying the corresponding hotfix.
Is it possible to provide more information regarding the vulnerability?
No, it is not possible due to security reasons. In particular, this might lead to scenario disclosure and cause a severe impact on the customers.
Does the vulnerability impact Managed Cloud subscriptions?
The vulnerability impacts both Managed Cloud Standard and Managed Cloud Premium subscriptions. Apply the solution above to mitigate the vulnerability.