Security Bulletin SC2019-001-302938

  • Description

    In this security bulletin we bring you information on new security-related developments at Sitecore.

    We are reporting a Critical vulnerability (SC2019-001-302938), for which there is a fix available.

    We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems.

  • Severity Definitions

    To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:
    https://kb.sitecore.net/articles/608800

  • Versions affected

    Vulnerability SC2019-001-302938 affects all versions of Sitecore XP 8.2, all versions of XP 9.0, and Initial Release of XP 9.1.

    Vulnerability is applicable to all Sitecore systems running affected versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.), which are exposed to the internet and have the pages under /sitecore/admin path accessible to Sitecore users.

    A hotfix/patch is available for all affected Sitecore XP versions.

    Versions not affected

    Sitecore CMS/XP versions 6.3—8.1 are not vulnerable.

    Sitecore xDB Cloud environments are not affected.

  • Apply the following patch (compatible with all affected versions): Sitecore.Support.302938-9.0.1.1

    Note: see the readme.html file inside the archive for installation instructions.

Applies to:

CMS 8.2 Initial Release - 9.1 Initial Release

January 16, 2019
January 16, 2019

Reference number:

302938