Security Bulletin SC2017-001-170504

  • Description

    We have found a critical security vulnerability (2017-001-170504). There is a hotfix available.

    We encourage all Sitecore customers and partners to read the information below, then apply the hotfix to all Sitecore systems.

    To receive security notifications by email, please sign up for our security notification list here:

    http://www.sitecore.net/landing/xc/2016/xc-ops-sitecore-security-notifications

  • Severity Definitions

    To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the following definitions to categorize security issues:

    https://kb.sitecore.net/articles/608800

  • Versions affected:

    Vulnerability 2017-001-170504 affects all supported versions of the Sitecore Web Experience Manager and Sitecore® Experience Platform™ 6.5–8.2, and the Sitecore xDB Cloud environment. Versions after 8.2 Update-4 are not affected, and do not require a hotfix.

    This vulnerability affects all of the Sitecore systems running these versions. This includes both CMS-only and xDB-enabled modes, single-instance, multi-instance environments, and all Sitecore server roles (Content Delivery, Content Management, Reporting, Processing, Publishing, etc). It also impacts Sitecore-based intranet sites.

    With the exception of Sitecore CMS 6.5, a hotfix is available for all affected versions. Sitecore xDB Cloud environments have been patched.

    Due to technical limitations in providing a hotfix for Sitecore CMS 6.5, customers using that version are strongly encouraged to upgrade to Sitecore CMS 6.6, which is the earliest currently supported version of Sitecore.

  • Surface Area Reduction for all Sitecore versions (6.5–8.2)

    Sitecore uses a third party dependency, Telerik, for parts of its user interface. By default, these controls are enabled in all Sitecore environments. To reduce the attack surface area of your application, Sitecore strongly recommends that all customers remove the following configuration from any Sitecore servers except Content Management, which requires these controls.

    Follow these steps:

    1. Open the web.config file within your Sitecore web root.
    2. Remove the following lines from the web.config file:
    3. <add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" />
      <add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" />
      <add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />
    4. Save and close the web.config file.

    To confirm that you have mitigated the issue in these environments, access the following URL for your site: http://<your_hostname_here>/Telerik.Web.UI.WebResource.axd

    If you receive an HTTP status code 200, the controls are still exposed and you should recheck your web.config file to ensure that the lines listed above have been removed.

    If you receive an HTTP status code 404, the controls are no longer exposed. This is the desired outcome.

  • Fix for Sitecore CMS 6.5

    Due to the technical limitations of providing a hotfix for this Sitecore CMS version, customers are strongly encouraged to upgrade to a version of Sitecore for which a fix exists for this issue. Sitecore CMS 6.6 is the earliest version for which there is a hotfix available.

    If upgrading is not possible, you must ensure that your attack surface is reduced by following the steps in the previous section for any Sitecore servers that are exposed to the internet.

    This will still leave your Content Management system at risk. However, the risk is reduced if the Content Management environment is not exposed to the internet.

  • Fix for Sitecore versions 6.6–8.2

    Apply the following hotfix to your Content Management server(s) to mitigate the vulnerability for Sitecore versions 6.6–8.2. Versions 8.2 Update-4 and beyond are not affected, and do not require this hotfix.

    1. Download the ZIP archive containing the hotfix (download only the hotfix specific to your Sitecore version):
    2. Backup the following files in your Sitecore website folder:
      • \bin\Telerik.Web.UI.dll
      • \bin\Telerik.Web.UI.Skins.dll
      • \bin\Telerik.Web.UI.xml
      • \sitecore\shell\Controls\Rich Text Editor\RTEfixes.js
    3. Extract the contents of the archive to the Sitecore website folder.
    4. Open the web.config file within your Sitecore website root folder.
    5. Add the following lines within the <appSettings> node:
      <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
      <add key="Telerik.Upload.ConfigurationHashKey" value="YOUR_ENCRYPTION_KEY_HERE" />
      <add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
    6. Replace the placeholder text "YOUR_ENCRYPTION_KEY_HERE" with a string of characters that will be used to secure the capabilities of Telerik controls. The string should be a set of random characters and numbers, up to a length of 256 characters. We recommend a minimum of 32 characters to be used.
    7. Under the <assemblyBinding> node of the <runtime> section in the web.config file, add the following configuration depending upon your Sitecore version:
      • Sitecore 6.6
        <dependentAssembly>
              <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
              <bindingRedirect oldVersion="2012.2.607.35" newVersion="2014.1.403.35" /> 
        </dependentAssembly>
      • Sitecore 7.0–8.0
        <dependentAssembly>
              <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
              <bindingRedirect oldVersion="2012.2.607.35" newVersion="2014.1.403.45" /> 
        </dependentAssembly>
      • Sitecore 8.1–8.2
        <dependentAssembly>
              <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
              <bindingRedirect oldVersion="2015.1.401.45" newVersion="2017.2.621.45" />  
        </dependentAssembly>
    8. Save and close the web.config file.
    9. Clear the browser cache.
    10. If you have a <machineKey> node under the <system.web> section in the web.config file, generate a new Machine Key. You can use the generator in the IIS Manager application: https://blogs.msdn.microsoft.com/amb/2012/07/31/easiest-way-to-generate-machinekey.
    • The hotfix for Sitecore XP 8.1–8.2 was updated on 18 July 2017. It now includes the RTEfixes.js file, which fixes some minor issues introduced by the updated assemblies. These issues do not affect the security of Telerik controls and are related to inserting and deleting hyperlinks in the Rich Text Editor fields. We recommend that you apply the newer version of the 8.1–8.2 hotfix to avoid these problems. The hotfixes for versions 6.6–8.0 were not updated and do not need to be re-applied.

Applies to:

CMS 6+

July 07, 2017
August 18, 2017

Keywords: 

  • CMS
  • ,
  • Rich Text Editor