Security Bulletin SC2016-001-128003

  • In this security bulletin we bring you information on new security-related developments at Sitecore.

    We are reporting a Critical vulnerability (SC2016-001-128003), for which there is a hotfix available.

    We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the hotfix to all Sitecore systems.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:
    https://kb.sitecore.net/articles/608800

  • Versions affected

    Vulnerability SC2016-001-128003 affects all versions of Sitecore XP 7.5, all versions of XP 8.0, all versions of XP 8.1, and Initial Release of XP 8.2.

    Vulnerability is applicable to all Sitecore systems running affected versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.). It is also applicable to non-externally accessible Sitecore environments, such as intranets.

    A hotfix is available for all affected Sitecore versions.

    Versions not affected

    Currently supported Sitecore CMS versions 6.3—7.2 are not vulnerable.

    The vulnerability has been fixed in Sitecore XP 8.2 Update-1.

    Sitecore xDB Cloud environments are not affected as appropriate fix has already been implemented.

  • Use any of the following options to install the hotfix.

    Using Sitecore Package Installation Wizard

    1. Download the Sitecore Package with the hotfix from here.
    2. On every Sitecore instance, log in to the Sitecore Desktop.
    3. Go to Start => Development Tools => Installation Wizard.
    4. Follow the wizard to install the hotfix package. Choose the Overwrite All option when asked.

    Using File System

    1. Download ZIP archive with the hotfix from here.
    2. Extract contents of the archive.
    3. On every Sitecore instance, copy the contents of the archive to the /Website folder.

    Please contact Sitecore Support if you experience difficulties installing the hotfix.

  • The fix introduces a whitelist of .NET types that can be a part of the session state. You can read more about the Sitecore session state here

    For certain customer scenarios, the whitelist needs to be fine-tuned to include actively used in the session state object types. 

    The whitelist is configured via the \Website\App_Config\Include\Sitecore.SessionSerialization.config file.

    Adding types

    • If you are running a clustered environment (multiple Content Delivery instance groups in multiple locations) and have extended the session state to include custom object types, you will need to include those types within the whitelist.

      Note: This does not apply to objects stored in the standard ASP.NET session state using the standard ASP.NET API.

      If you do not extend the whitelist to include your custom session state types, you may receive an HTTP status error of 400 (Bad Request) and an entry in the Sitecore log in the following format:

      WARN  Binding for type MyCustomType from assembly MyCustomAssembly is not allowed.

      This message indicates that you have a type that is not currently in the <allowedTypes> node.

      To remedy this issue, add your custom type to the <allowedTypes> node, following the convention of the other types defined in Sitecore.SessionSerialization.config.

    • If you are not running a clustered environment, you do not need to extend the whitelist. This applies even when including custom object types in the session state or using Sitecore modules.

    Removing types

    Due to variations in the session state types across affected Sitecore versions, you may note entries like this in the Sitecore log files:

    WARN  Failed to parse type. Input string: SomeType, SomeAssembly

    This message indicates that a type was included in the <allowedTypes> node that does not exist in your Sitecore version.

    These warnings are benign, but to ensure that your log files are not polluted with an excessive amount of warnings, Sitecore recommends removing these items from the <allowedTypes> node. Sitecore has determined that these types of warnings may occur in Sitecore versions 7.5 and 8.0.

  • After installing the hotfix, it may be required to validate if the installation was successful.

    To check if the hotfix has been properly installed, check the presence of the following 3 files on each of your Sitecore instances.

    If all of the files are present, the hotfix has been successfully installed.

    • \Website\App_Config\Include\Sitecore.SessionSerialization.config
    • \Website\bin\Sitecore.SessionSerialization.dll
    • \Website\sitecore\service\Analytics\Session\PushSession.ashx
    • 11-Sep-19: a link to Security Bulletins RSS Feed was added.
    • 20-Sep-19: hotfix download link was updated. The hotfix itself was not changed.

Applies to:

CMS 7.5 - 8.2 Initial Release

October 17, 2016
September 20, 2019

Reference number:

128003

Keywords: 

  • Security Vulnerabilities