Description

This article reports a critical vulnerability (SC2024-001-619349) in Sitecore software related to the risk of unauthenticated arbitrary file reads, for which there is a solution available.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the solution to all the affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.

The vulnerability impacts the following Sitecore products:

Sitecore Products	Impact
Experience Manager (XM)	Impacted*
Experience Platform (XP)
Experience Commerce (XС)
Managed Cloud	Impacted**
XM Cloud	Not impacted
Content Hub	Not impacted
CDP and Personalize (formerly Boxever)	Not impacted
OrderCloud (formerly Four51 OrderCloud)	Not impacted
Storefront (formerly Four51 Storefront)	Not impacted
Moosend	Not impacted
Send	Not impacted
Discover (formerly Reflektion)	Not impacted
Search	Not impacted
Commerce Server	Not impacted

* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 8.0 Initial Release to 10.4 Initial Release. The issue affects Content Management (CM) and Standalone instances. PaaS solutions and containerized solutions are also affected.

** Managed Cloud customers who run the affected Experience Platform versions are affected. Only Content Management (CM) and Standalone Managed Cloud instances are affected.

This Security Bulletin may receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.

If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from  Severity Definitions for Security Vulnerabilities  to report security issues.

Recommended Solution

To mitigate the vulnerability, it is recommended that you apply the fixes to the affected Sitecore systems depending on your deployment. Follow the guidelines from Sitecore official documentation and the related KB articles.

• For On-Prem and PaaS::
  
  • For 10.2, apply cumulative hotfix from KB1001439 (section "On top of any update" recommended)
  • For 10.3, apply cumulative hotfix from KB1002844 (section "On top of any update" recommended)
  • For 10.4, apply cumulative hotfix from KB1003424 (section "On top of any update" recommended)

• For Containers:
  • For 10.2, 10.3 and 10.4  running in a containerized environment, the cumulative hotfix should be applied according to guidance from the linked Cumulative hotfix articles.

Note that Sitecore is currently preparing a minor update for version 10.1, which includes the fix, and it will be ready shortly. 

Optional Solution

Sitecore strongly recommends you to install the appropriate fix from the Recommended Solution section at the earliest opportunity. If it is not possible to apply permanent fixes quickly, the following temporary solution can be used as well to the affected Sitecore systems. The patch can be used for all impacted product versions from 9.1 Initial Release to 10.4 Initial Release. Follow these installation instructions:

1. Download and unpack the Sitecore.Support.619349.zip archive.
2. Place the Sitecore.Support.619349.dll in the \bin folder.
3. Place the Sitecore.Support.619349.config in the \App_Config\Include\zzz folder.

 

FAQ

Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
The issue impacts only Content Management (CM) and Standalone roles. Apply the above solution to the specified roles.

If we use Azure Marketplace to install XM/XP/XC now, for example 10.3, will it include the hotfix mentioned above or will we still need to apply it manually? Are hotfixes automatically rolled into the Azure Marketplace?
No, hotfixes are not automatically rolled into the Azure Marketplace. Azure Marketplace supports the same versions that have been released at dev.sitecore.net. If the issue has not been fixed in the released versions, apply the above solution to your instance.

How can I fix the issue for 9.0.2 or earlier version?
For 9.0.2 and earlier versions, follow these installation instructions:

1. Download and unpack the Sitecore.Support.61934-8.0.0-9.0.2.0.zip archive. 
2. Place the Sitecore.Support.619349.dll in the \bin folder. 
3. Place the Sitecore.Support.619349.config in the \App_Config\Include\zzz folder. 

Considering that 9.0.2 and earlier versions have entered in Sustaining Support Phase and Sitecore does not provide hotfix packages for it, Sitecore recommends upgrading to the later versions and applying the corresponding hotfix.

Is it possible to provide more information regarding the vulnerability?
No, it is not possible due to security reasons. In particular, this might lead to scenario disclosure and cause a severe impact on the customers.

Does the vulnerability impact Managed Cloud subscriptions?
The vulnerability impacts both Managed Cloud Standard and Managed Cloud Premium subscriptions. Apply the solution above to mitigate the vulnerability.

History Of Updates

• 05-Aug-2024: The article was created.
• 06-Aug-2024: Replaced a link in the FAQ section for Content Management (CM) and Standalone roles.
• 09-Oct-2024: Added solutions for 10.2, 10.3 and 10.4 in the Recommended solution section, updated the note with the information on the expected solution for 10.1, renamed the Solution section to Optional solution.