Description
This article reports Critical vulnerability (SC2024-002-624693) in Sitecore software, for which there is a solution available.
This issue is related to remote code execution through insecure deserialization.
We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the Solution to all the affected Sitecore instances. We also recommend that customers maintain their environments in security-supported versions and apply all available security fixes without delay.
The vulnerability impacts the following Sitecore products:
| Sitecore Products | Impact |
| Experience Manager (XM) | Impacted* |
| Experience Platform (XP) | |
| Managed Cloud | Impacted** |
| XM Cloud | Not impacted |
| Content Hub | Not impacted |
| CDP and Personalize (formerly Boxever) | Not impacted |
| OrderCloud (formerly Four51 OrderCloud) | Not impacted |
| Storefront (formerly Four51 Storefront) | Not impacted |
| Moosend | Not impacted |
| Send | Not impacted |
| Discover (formerly Reflektion) | Not impacted |
| Search | Not impacted |
| Commerce Server | Not impacted |
* The vulnerability impacts all Experience Platform topologies (XM, XP) from 10.4 Initial Release.
** Managed Cloud customers who run the affected Experience Platform versions are affected. Only Content Management (CM) and Standalone Managed Cloud instances are affected.
This Security Bulletin may receive additional updates as further details are discovered, and the History Of Updates section will provide a detailed list of all the changes.
If you would like to receive notifications about new Security Bulletins, subscribe to the Security Bulletins.
Severity Definitions
To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.
Recommended Solution
To mitigate the vulnerability, it is recommended that you apply the fixes to the affected Sitecore systems depending on your deployment. Follow the installation instructions from the readme file (when available).
- For on-prem and PaaS:
- For 10.4, download and install the corresponding cumulative hotfix available in KB1002844 (section "On top of any update" recommended)
- For 10.4, download and install the corresponding cumulative hotfix available in KB1002844 (section "On top of any update" recommended)
- For containers:
- For 10.4 running in a containerized environment, the cumulative hotfix should be applied according to the guidance from the linked Cumulative hotfix articles. For more details refer to Deploy a Sitecore XP pre-release using Docker.
Optional Solution
Sitecore strongly recommends you to install the appropriate fix from the Recommended Solution section at the earliest opportunity. If it is not possible to apply permanent fixes quickly, the following temporary solution can be used as well to the affected Sitecore systems. Apply the patch that follows on the CM and the Standalone servers.
- Download the Sitecore.Support.624693.config file.
- Place the Sitecore.Support.624693.config to the \App_Config\Include\zzz folder.
Note: This patch disables Sitecore screenshot thumbnail functionality. It is strongly recommended to apply the pre-release.
Validation
To validate that the fix for the current vulnerability has been installed in your solution, ensure that the version of the Sitecore.Kernel assembly is equal or greater than 19.4.93.21984:
FAQ
Does the issue affect all Sitecore XP Core server roles (Content Delivery, Content Management, Reporting, Processing, EXM Dispatch)?
The issue impacts only Content Management (CM) and Standalone roles. Apply the above solution to all roles.
No, it is not possible due to security reasons. In particular, this might lead to the scenario disclosure which would negatively impact customers.
The vulnerability impacts both Managed Cloud Standard and Managed Cloud Premium subscriptions. Apply the solution above to mitigate the vulnerability.
To identify your Sitecore version and installed components, follow the instructions from KB0891209.
History Of Updates
- 04-Dec-2024: The article was created.
- 10-Dec-2024: Added the Validation section; removed XC from impacted products since XC was stopped at 10.3.
- 06-Jan-2025: Published the article listed.