Security Bulletins - Security Bulletin SC2019-001-302938

The information on the latest update

Description

In this security bulletin, we bring you information on new security-related developments at Sitecore.

We are reporting Critical vulnerability (SC2019-001-302938), for which there is a fix available.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems.

If you want to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:
KB0608800

Versions

Versions affected

Vulnerability SC2019-001-302938 affects the following versions:

All Sitecore XP 8.2.x versions
All Sitecore XP 9.0.x versions
Sitecore XP 9.1 Initial Release.

Vulnerability is applicable to all Sitecore systems running affected versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, and so on), which are exposed to the internet and have the pages under the /sitecore/admin path accessible to Sitecore users.

A hotfix/patch is available for all affected Sitecore XP versions.

Versions not affected

Sitecore CMS/XP 6.3 — 8.1 versions are not vulnerable.
Sitecore xDB Cloud environments are not affected.
The issue was fixed in Sitecore XP 9.1 Update-1.

Solution

To resolve the issue, consider one of the following options:

Upgrade Sitecore XP instance to Sitecore XP 9.1.1 or later.
Download and install the patch compatible with the affected product version:
- For Sitecore XP 8.2.0 — 8.2.7: Sitecore.Support.302938-8.2.7.0
- For Sitecore XP 9.0.0 — 9.1.0: Sitecore.Support.302938-9.0.1.1
Note: refer to the readme.html file inside the archive for installation instructions.

History of updates

29-May-2019: added the note that the issue was fixed in Sitecore XP 9.1 Update-1.
11-Sep-2019: added a link to Security Bulletins RSS Feed was added.
30-Sep-2019: removed a typo in the patch link.
30-Jun-2021: changed a broken link in "Security Bulletins RSS Feed" to KB1000489, made minor changes in styling.
07-Feb-2022: updated Solution.