Feedback
 
Did this article resolve your question/issue?

   

Your feedback is appreciated.

Please tell us how we can make this article more useful. Please provide us a way to contact you, should we need clarification on the feedback provided or if you need further assistance.

Characters Remaining: 1025

 


Article

Security Advisory for cryptographic vulnerability CVE-2017-15883 for Sitefinity

« Go Back

Information

 
Article Number000085853
EnvironmentProduct: Sitefinity
Version: 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, 10.x
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description

A security vulnerability was identified in Sitefinity CMS.

Vulnerability type: Weak cryptography in Sitefinity http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15883 
Vulnerability impact: An exploit may lead to:
•    denial of service on load balanced sites 
•    elevation of backend user privileges on all sites
Areas affected by the vulnerability: 
- Only temporary (data in transit) messages may be affected.
NOTE: No persistent data (data at rest) is affected. Encrypted/Hashed data stored in the site is not affected.

We have investigated and addressed the issue and strongly recommend you follow one of the steps below to ensure the safety and security of your web sites.
Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution
For optimal security, at a minimum, upgrade to Sitefinity 10.2 Hotfix 1 (build number 10.2.6601). This hotfix is cumulative and contains the security fixes from all previous versions. 

In case you are not able to upgrade to Sitefinity 10.2 Hotfix 1, then upgrade to the latest hotfix or internal build for your Sitefinity version based on the table below:
 
Sitefinity versionHotfix versionInternal build 
10.1Hotfix 4 - 10.1.6504.010.1.6532.0
10.0Hotfix 5 - 10.0.6413.010.0.6425.0
9.2Hotfix 4 - 9.2.6250.09.2.6251.0
9.1Hotfix 4 - 9.1.6160.09.1.6161.0
9.0Hotfix 4 - 9.0.6040.09.0.6041.0
8.2Hotfix 3 - 8.2.5950.08.2.5951.0
8.1Hotfix 4 - 8.1.5840.08.1.5841.0
8.0Hotfix 4 - 8.0.5760.08.0.5761.0
7.3Hotfix 5 - 7.3.5680.07.3.5681.0
7.2Hotfix 4 - 7.2.5340.07.2.5341.0
7.1Hotfix 2 - 7.1.5230.07.1.5231.0
7.0Hotfix 2 - 7.0.5130.07.0.5131.0
6.3Hotfix 2 - 6.3.5040.06.3.5041.0
6.2Hotfix 2 - 6.2.4920.0Not available
6.1Hotfix 1 - 6.1.4710.0Not available
6.0Hotfix 2 - 6.0.4220.0Not available
5.4Hotfix 4 - 5.4.4050.0Not available
5.3Hotfix 2 - 5.3.3930.0Not available
5.2Hotfix 1 - 5.2.3810.0Not available
5.1Hotfix 1 - 5.1.3460.0Not available

For more information on how to upgrade to the hotfix, refer to this Knowledge Base article: How to update Sitefinity to hotfix, internal build or a patch

Note: If you have applied the appropriate hotfix on Sitefinity version 9.2 and lower WITHOUT using NuGet packages before the 19th of December 2017, then, you must also reapply a previous security fix using the steps in the following Knowledge Base article Resolving Security Vulnerability CVE-2014-2217 , CVE-2017-11317 , CVE-2017-11357 , CVE-2017-9248 to ensure you have all fixes installed for known security vulnerabilities. Refer to the Notes section below for a way to check if reapplying the patch is needed.
Workaround
Notes
Erlend Leiknes, Security Consultant at mnemonic AS, identified and disclosed the vulnerability: CVE-2017-15883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15883

For Sitefinity 9.2 and below, one can check if the applied patch is cumulative inspect the Date Modified attribute of the Telerik.Sitefinity.dll file in the bin folder of the project:
1. Navigate to the bin folder
2. Locate the Telerik.Sitefinity.dll file
3. Right-click on the file and click on Properties
4. Navigate to the Details tab
5. Confirm that the Date modified is on, or after the 13th of December 2017 (the fix for Sitefinity 10.x was released earlier, and has a result has an earlier date than 12/13/2017)

Date modified field
Attachment 
Last Modified Date2/27/2018 2:09 PM