Security Bulletin SC2019-002-312864

  • This article reports a Critical vulnerability (SC2019-002-312864) in Sitecore software, for which there is a fix available.

    Critical vulnerability SC2019-002-312864 allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

    We encourage Sitecore customers and partners to familiarize themselves with the information below and apply the fix to all Sitecore systems.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses the following definitions to report security issues: https://kb.sitecore.net/articles/608800

  • Versions affected

    Vulnerability SC2019-002-312864 affects all versions of Sitecore CMS/XP starting from CMS 6.6 Update-3 and up to (and including) XP 8.2 Update-7.

    Vulnerability is applicable to all Sitecore instances running affected versions.

    This includes CMS-only and xDB-enabled modes, single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (content delivery, content editing, reporting, processing, publishing, etc.).

    A hotfix is available for all supported Sitecore CMS/XP versions.

    Versions not affected

    Sitecore XP versions 9.0 and later are not affected by this vulnerability.

    Sitecore xDB Cloud environments are not affected.

  • Apply the hotfix corresponding to your product version:

    Note: see the readme.txt file inside the archive for installation instructions.

    To verify that the fix has been applied successfully, check the "Modified" property of the Sitecore.Security.AntiCsrf.dll file in the \bin folder of your website. The date should be February 2019.

  • If full solution cannot be applied right away, the following temporary workaround can be used on all affected Sitecore instances to secure them from the vulnerability.

    To temporary address the vulnerability, deny access to the \Website\sitecore\shell folder on all Sitecore instances in all your Sitecore environments.

    1. Go to your Sitecore web application in the Internet Information Services (IIS) Manager application.
    2. Select \sitecore\shell folder.
    3. Click the .NET Authorization Rules:

    4. Click Add Deny Ruleā€¦ in the Actions panel:
    5. Select All users and OK:

    Note: Upon implementing this workaround, content editing functionality will not be available in your Sitecore environments.

    If content editing functionality cannot be temporary disabled, as an alternative, it is possible to configure IP-based security restrictions for \Website\sitecore\shell folder to block all access for external users and only allow access from trusted IP addresses which malicious actor is not able to use. For instructions on how to configure IP-based security restrictions, see http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity.

    • 11-Sep-19: a link to Security Bulletins RSS Feed was added.

Applies to:

CMS 6.6.0 Update-3 - 8.2 Update-7

March 01, 2019
September 11, 2019

Reference number:

312864