Security Bulletin SC2019-001-302938

Expand all | Collapse all

  • Description

    Collapse

    In this security bulletin we bring you information on new security-related developments at Sitecore.

    We are reporting a Critical vulnerability (SC2019-001-302938), for which there is a fix available.

    We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • Severity Definitions

    Collapse

    To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues:
    https://kb.sitecore.net/articles/608800

  • Versions

    Collapse

    Versions affected

    Vulnerability SC2019-001-302938 affects all versions of Sitecore XP 8.2, all versions of XP 9.0, and Initial Release of XP 9.1.

    Vulnerability is applicable to all Sitecore systems running affected versions. This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.), which are exposed to the internet and have the pages under /sitecore/admin path accessible to Sitecore users.

    A hotfix/patch is available for all affected Sitecore XP versions.

    Versions not affected

    Sitecore CMS/XP versions 6.3—8.1 are not vulnerable.

    Sitecore xDB Cloud environments are not affected.

    The issue has been fixed in Sitecore XP 9.1 Update-1.

  • Solution

    Collapse

    Apply the following patch (compatible with all affected versions): Sitecore.Support.302938-9.0.1.1

    Note: see the readme.html file inside the archive for installation instructions.

  • Notes

    Collapse
    • Article update (29-May-19): the issue has been fixed in Sitecore XP 9.1 Update-1.
    • Article update (11-Sep-19): a link to Security Bulletins RSS Feed was added.
    • Article update (30-Sep-19): corrected a typo in the patch link.

Applies to:

CMS 8.2 Initial Release - 9.1 Initial Release

January 16, 2019
September 30, 2019

Reference number:

302938