Security Bulletin SC2017-001-170504

Expand all | Collapse all

  • Description

    Collapse

    We have found a critical security vulnerability (2017-001-170504). There is a hotfix available.

    We encourage all Sitecore customers and partners to read the information below, then apply the hotfix to all Sitecore systems.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • Severity Definitions

    Collapse

    To help customers and partners understand the severity of the potential security vulnerabilities, Sitecore uses the following definitions to categorize security issues:

    https://kb.sitecore.net/articles/608800

  • Versions

    Collapse

    Versions affected:

    Vulnerability 2017-001-170504 affects all supported versions of the Sitecore Web Experience Manager and Sitecore® Experience Platform™ 6.5–8.2, and the Sitecore xDB Cloud environment. Versions after 8.2 Update-4 are not affected, and do not require a hotfix.

    This vulnerability affects all of the Sitecore systems running these versions. This includes both CMS-only and xDB-enabled modes, single-instance, multi-instance environments, and all Sitecore server roles (Content Delivery, Content Management, Reporting, Processing, Publishing, and so on). It also impacts Sitecore-based intranet sites.

    With the exception of Sitecore CMS 6.5, a hotfix is available for all affected versions. Sitecore xDB Cloud environments have been patched.

    Due to technical limitations in providing a hotfix for Sitecore CMS 6.5, customers using that version are strongly encouraged to upgrade to Sitecore CMS 6.6, which is the earliest currently supported version of Sitecore.

  • Surface Area Reduction for all Sitecore versions (6.5–8.2)

    Collapse

    Sitecore uses a third-party dependency, Telerik, for parts of its user interface. By default, these controls are enabled in all Sitecore environments. To reduce the attack surface area of your application, Sitecore strongly recommends that all customers remove the following configuration from any Sitecore servers except Content Management, which requires these controls.

    Follow these steps:

    1. Open the web.config file within your Sitecore web root.
    2. Remove the following lines from the web.config file:
      3. <add name="Telerik_Web_UI_DialogHandler_aspx" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.DialogHandler.aspx" type="Telerik.Web.UI.DialogHandler" />
      <add name="Telerik_Web_UI_SpellCheckHandler_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.SpellCheckHandler.axd" type="Telerik.Web.UI.SpellCheckHandler" />
      <add name="Telerik_Web_UI_WebResource_axd" verb="*" preCondition="integratedMode" path="Telerik.Web.UI.WebResource.axd" type="Telerik.Web.UI.WebResource" />
    3. Save and close the web.config file.

    To confirm that you have mitigated the issue in these environments, access the following URL for your site: http://<your_hostname_here>/Telerik.Web.UI.WebResource.axd

    If you receive an HTTP status code 200, the controls are still exposed and you must recheck your web.config file to ensure that the lines listed above have been removed.

    If you receive an HTTP status code 404, the controls are no longer exposed. This is the desired outcome.

  • Fix for Sitecore CMS 6.5

    Collapse

    Due to the technical limitations of providing a hotfix for this Sitecore CMS version, customers are strongly encouraged to upgrade to a version of Sitecore for which a fix exists for this issue. Sitecore CMS 6.6 is the earliest version for which there is a hotfix available.

    If upgrading is not possible, you must ensure that your attack surface is reduced by following the steps in the previous section for any Sitecore servers that are exposed to the internet.

    This will still leave your Content Management system at risk. However, the risk is reduced if the Content Management environment is not exposed to the internet.

  • Fix for Sitecore versions 6.6–8.2

    Collapse

    Apply the following hotfix to your Content Management or Standalone server(s) to mitigate the vulnerability for Sitecore versions 6.6–8.2. Versions released after 8.2 Update-4 are not affected, and do not require this hotfix.

    1. Download the ZIP archive containing the hotfix (download only the hotfix specific to your Sitecore version):
    2. Back up the following files in your Sitecore website folder:
      • \bin\Telerik.Web.UI.dll
      • \bin\Telerik.Web.UI.Skins.dll
      • \bin\Telerik.Web.UI.xml
      • \sitecore\shell\Controls\Rich Text Editor\RTEfixes.js
    3. Extract the contents of the archive to the Sitecore website folder.
    4. Open the web.config file within your Sitecore website root folder.
    5. Add the following lines within the <appSettings> node: 
      <add key="Telerik.AsyncUpload.ConfigurationEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
<add key="Telerik.Upload.ConfigurationHashKey" value="YOUR_ENCRYPTION_KEY_HERE" />
<add key="Telerik.Web.UI.DialogParametersEncryptionKey" value="YOUR_ENCRYPTION_KEY_HERE" />
    6. Replace the placeholder text "YOUR_ENCRYPTION_KEY_HERE" with a string of characters that will be used to secure the capabilities of Telerik controls. The string should be a set of random characters and numbers, up to a length of 256 characters. We recommend a minimum of 32 characters to be used.
    7. Under the <assemblyBinding> node of the <runtime> section in the web.config file, add the following configuration depending upon your Sitecore version:
      • Sitecore 6.6 
        <dependentAssembly>
      <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
      <bindingRedirect oldVersion="2012.2.607.35" newVersion="2014.1.403.35" /> 
</dependentAssembly>
      • Sitecore 7.0–8.0 
        <dependentAssembly>
      <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
      <bindingRedirect oldVersion="2012.2.607.35" newVersion="2014.1.403.45" /> 
</dependentAssembly>
      • Sitecore 8.1–8.2 
        <dependentAssembly>
      <assemblyIdentity name="Telerik.Web.UI" publicKeyToken="121fae78165ba3d4" />
      <bindingRedirect oldVersion="2015.1.401.45" newVersion="2017.2.621.45" />  
</dependentAssembly>
    8. Save and close the web.config file.
    9. Clear the browser cache.
    10. If you have a <machineKey> node under the <system.web> section in the web.config file, generate a new Machine Key. You can use the generator in the IIS Manager application: https://blogs.msdn.microsoft.com/amb/2012/07/31/easiest-way-to-generate-machinekey.

  • References

    Collapse

  • Notes

    Collapse
    • The hotfix for Sitecore XP 8.1–8.2 was updated on 18 July 2017. It now includes the RTEfixes.js file, which fixes some minor issues introduced by the updated assemblies. These issues do not affect the security of Telerik controls and are related to inserting and deleting hyperlinks in the Rich Text Editor fields. We recommend that you apply the newer version of the 8.1–8.2 hotfix to avoid these problems. The hotfixes for versions 6.6–8.0 were not updated and do not need to be re-applied.
    • The wording regarding affected versions was updated on 21 March 2018. The issue has been fixed in Sitecore XP versions released after 8.2 Update-4.
    • The wording regarding server roles was updated on 08 April 2019. The fix should be applied to Content Management or Standalone Sitecore servers.
    • Links to hotfix packages were updated on 06 June 2019. Hotfixes were not changed, there is no need to reinstall them.
    • A link to Security Bulletins RSS Feed was added on 11-Sep-19.
    • A typo in the hotfix link was corrected on 30-Sep-19.
    • Applies To field was updated on 28-Nov-19.
    • Links to Telerik UI security vulnerablities CVE-2014-2217, CVE-2017-11317 and CVE-2019-18935 were added to References on 12-May-20. The issues were fixed in Telerik's public assemblies starting from 2017.2.711. Telerik provided fixes to Sitecore as custom updates for assembly versions that are compatible with Sitecore CMS/XP. This means that versions prior to the mentioned in the article Allows JavaScriptSerializer Deserialization and used in the current hotfix (and Sitecore XP 8.2 Update-5 and later) already include the solution for these issues, so they do not need to be updated.
    • Some broken links were fixed and missing CVE IDs added on 29-Sep-20.

Applies to:

CMS 6.5.0 Initial Release - 8.2 Update-4

CMS 8.2 Update-5

July 07, 2017
September 29, 2020

Keywords: 

  • CMS,
  • Rich Text Editor,
  • Security Vulnerabilities