Security Bulletin SC2019-002-312864

Permalink to this article

Expand all | Collapse all

Description

Expand Collapse

This article reports a Critical vulnerability (SC2019-002-312864) in Sitecore software, for which there is a fix available.

Critical vulnerability SC2019-002-312864 allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems.

If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.
Severity Definitions

Expand Collapse

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues: https://kb.sitecore.net/articles/608800
Versions

Expand Collapse

Versions affected

Vulnerability SC2019-002-312864 affects all versions of Sitecore CMS/XP starting from CMS 6.6 Update-3 and up to (and including) XP 8.2 Update-7.

Vulnerability is applicable to all Sitecore instances running affected versions.

This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.).

A hotfix is available for all supported Sitecore CMS/XP versions.

Versions not affected

Sitecore XP versions 9.0 and later are not affected by this vulnerability.

Sitecore xDB Cloud environments are not affected.
Solution

Expand Collapse
Apply the hotfix corresponding to your product version:
- Sitecore CMS 7.0: SC Hotfix 313001-1 AntiCsrf 1.0.0
- Sitecore CMS 7.1: SC Hotfix 313001-1 AntiCsrf 1.0.0
- Sitecore CMS 7.2: SC Hotfix 313001-1 Security.AntiCsrf 1.0.0
- Sitecore XP 7.5: SC Hotfix 313001-1 Security.AntiCsrf 1.0.0
- Sitecore XP 8.0: SC Hotfix 313001-1 Security.AntiCsrf 1.0.0
- Sitecore XP 8.1: SC Hotfix 313001-1 Security.AntiCsrf 1.0.0
- Sitecore XP 8.2: SC Hotfix 313001-1 Security.AntiCsrf 1.1.1
Note: see the readme.txt file inside the archive for installation instructions.
To verify that the fix has been applied successfully, check the "Modified" property of the Sitecore.Security.AntiCsrf.dll file in the \bin folder of your website. The date should be February 2019.
Alternative workaround

Expand Collapse
If full solution cannot be applied right away, the following temporary workaround can be used on all affected Sitecore instances to secure them from the vulnerability.
To temporary address the vulnerability, deny access to the \Website\sitecore\shell folder on all Sitecore instances in all your Sitecore environments.
1. Go to your Sitecore web application in the Internet Information Services (IIS) Manager application.
2. Select \sitecore\shell folder.
3. Click the .NET Authorization Rules:
4. Click Add Deny Rule… in the Actions panel:
5. Select All users and OK:
Note: Upon implementing this workaround, content editing functionality will not be available in your Sitecore environments.

If content editing functionality cannot be temporary disabled, as an alternative, it is possible to configure IP-based security restrictions for \Website\sitecore\shell folder to block all access for external users and only allow access from trusted IP addresses which malicious actor is not able to use. For instructions on how to configure IP-based security restrictions, see http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity.
History

Expand Collapse
- 11-Sep-19: a link to Security Bulletins RSS Feed was added.

Security Bulletin SC2019-002-312864

Description

Severity Definitions

Versions

Solution

Alternative workaround

History