Security Bulletin SC2020-001-CS0180052

  • We are reporting a security issue (SC2020-001-CS0180052), relating to Microsoft Support Services that might potentially impact your service with Sitecore and Microsoft. This issue is specific to an internal Microsoft Support database used for storing support case analytics and does not represent an exposure of Microsoft's commercial cloud services.

    Please note that Microsoft made a change to the database's network security group on December 05, 2019. It contained misconfigured security rules that enabled exposure of the data. As a result, in some scenarios, data stored in the support case analytics database might not be redacted using automated tools to remove personal information. For example, the data might have remained unredacted if the information is in a non-standard format, such as an email address separated with spaces instead of written in a standard format (for example, "XYZ @contoso com" vs "XYZ@contoso.com"). This could theoretically result in personally identifiable information being exposed.

    Upon notification of the issue, Microsoft engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. Although now remediated, we wanted to make Sitecore customers and partners aware of this potential issue.

    More detailed information is available on the page of Microsoft Security Response Center.

    Sitecore is continuing to work with Microsoft to learn more about this issue and its impact. We will keep this article updated with additional information as it becomes available. No action is needed on your part.

Applies to:

CMS 6+

February 12, 2020
February 12, 2020

Keywords: 

  • Security Vulnerabilities