Feedback
Did this article resolve your question/issue?

   

Article

Security Advisory for cryptographic vulnerability CVE-2017-15883 for Sitefinity

« Go Back

Information

 
TitleSecurity Advisory for cryptographic vulnerability CVE-2017-15883 for Sitefinity
URL NameSitefinity-Security-Advisory-for-cryptographic-vulnerability-CVE-2017-15883
Article Number000116119
EnvironmentProduct: Sitefinity
Version: 5.1, 5.2, 5.3, 5.4, 6.x, 7.x, 8.x, 9.x, 10.x
OS: All supported OS versions
Database: All supported database server versions
Question/Problem Description

A security vulnerability was identified in Sitefinity CMS.

Vulnerability type: Weak cryptography in Sitefinity http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15883 
Vulnerability impact: An exploit may lead to:
•    denial of service on load balanced sites 
•    elevation of backend user privileges on all sites
Areas affected by the vulnerability: 
- Only temporary (data in transit) messages may be affected.
NOTE: No persistent data (data at rest) is affected. Encrypted/Hashed data stored in the site is not affected.

We have investigated and addressed the issue and strongly recommend you follow one of the steps below to ensure the safety and security of your web sites.
Steps to Reproduce
Clarifying Information
Error Message
Defect/Enhancement Number
Cause
Resolution
For optimal security, at a minimum, upgrade to Sitefinity 10.2 Hotfix 1 (build number 10.2.6601). This hotfix is cumulative and contains the security fixes from all previous versions. 

In case you are not able to upgrade to Sitefinity 10.2 Hotfix 1, then upgrade to the latest hotfix or internal build for your Sitefinity version based on the table below:
 
Sitefinity versionHotfix versionInternal build 
10.1Hotfix 4 - 10.1.6504.010.1.6532.0
10.0Hotfix 5 - 10.0.6413.010.0.6425.0
9.2Hotfix 4 - 9.2.6250.09.2.6251.0
9.1Hotfix 4 - 9.1.6160.09.1.6161.0
9.0Hotfix 4 - 9.0.6040.09.0.6041.0
8.2Hotfix 3 - 8.2.5950.08.2.5951.0
8.1Hotfix 4 - 8.1.5840.08.1.5841.0
8.0Hotfix 4 - 8.0.5760.08.0.5761.0
7.3Hotfix 5 - 7.3.5680.07.3.5681.0
7.2Hotfix 4 - 7.2.5340.07.2.5341.0
7.1Hotfix 2 - 7.1.5230.07.1.5231.0
7.0Hotfix 2 - 7.0.5130.07.0.5131.0
6.3Hotfix 2 - 6.3.5040.06.3.5041.0
6.2Hotfix 2 - 6.2.4920.0Not available
6.1Hotfix 1 - 6.1.4710.0Not available
6.0Hotfix 2 - 6.0.4220.0Not available
5.4Hotfix 4 - 5.4.4050.0Not available
5.3Hotfix 2 - 5.3.3930.0Not available
5.2Hotfix 1 - 5.2.3810.0Not available
5.1Hotfix 1 - 5.1.3460.0Not available

For more information on how to upgrade to the hotfix, refer to this Knowledge Base article: How to update Sitefinity to hotfix, internal build or a patch

Note: If you have applied the appropriate hotfix on Sitefinity version 9.2 and lower WITHOUT using NuGet packages before the 19th of December 2017, then, you must also reapply a previous security fix using the steps in the following Knowledge Base article Resolving Security Vulnerability CVE-2014-2217 , CVE-2017-11317 , CVE-2017-11357 , CVE-2017-9248 to ensure you have all fixes installed for known security vulnerabilities. Refer to the Notes section below for a way to check if reapplying the patch is needed.
Workaround
Notes
Erlend Leiknes, Security Consultant at mnemonic AS, identified and disclosed the vulnerability: CVE-2017-15883 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15883

For Sitefinity 9.2 and below, one can check if the applied patch is cumulative inspect the Date Modified attribute of the Telerik.Sitefinity.dll file in the bin folder of the project:
1. Navigate to the bin folder
2. Locate the Telerik.Sitefinity.dll file
3. Right-click on the file and click on Properties
4. Navigate to the Details tab
5. Confirm that the Date modified is on, or after the 13th of December 2017 (the fix for Sitefinity 10.x was released earlier, and has a result has an earlier date than 12/13/2017)

Date modified field
Last Modified Date2/27/2018 2:09 PM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.