urlscan.io logo urlscan.io
SecurityTrails logo

support.sitecore.com Open in urlscan Pro
148.139.4.131  Public Scan

Back to summary
Submitted URL: https://sitecoresupportnotifications.sitecoresend.io/tracking/lc/f156bb69-52e8-474c-bc48-1958f3b58fe7/56117e51-1d58-408d-a7fa-bfcb4edfb883/7bb3ff63-c...
Effective URL: https://support.sitecore.com/kb?id=kb_article_view&sysparm_article=KB1002979
Submission Tags: falconsandbox
Submission: On May 05 via api from US — Scanned from NL

Form analysis 1 forms found in the DOM

<form ng-if="!c.data.aisEnabled" ng-submit="c.submitSearch()" role="search" class="ng-pristine ng-valid ng-scope">
  <input type="hidden" name="id" value="search" autocomplete="off">
  <input type="hidden" name="t" value="kb" autocomplete="off">
  <div class="input-group input-group- input-group-typeahead" role="presentation">
    <!-- uses ui.bootstrap.typeahead -->
    <!-- ngIf: c.isTypeAheadEnabled && c.showSuggestions --><input ng-if="c.isTypeAheadEnabled &amp;&amp; c.showSuggestions" name="q" placeholder="Search" ng-model="c.searchTerm" autocomplete="off"
      uib-typeahead="item as item.term for item in c.getSearchSuggestions($viewValue)" typeahead-wait-ms="c.data.typeaheadWaitMS" typeahead-min-length="c.data.typeaheadMinLength" typeahead-focus-first="false"
      typeahead-on-select="c.onSelect($item, $model, $label)" typeahead-template-url="sp-typeahead.html" typeahead-popup-template-url="sp-typeahead-popup.html" class="form-control input-typeahead ng-pristine ng-untouched ng-valid ng-scope ng-empty"
      role="combobox" aria-autocomplete="list" aria-label="Search" tabindex="0" aria-haspopup="true" aria-owns="typeahead-32-8398" aria-expanded="false">
    <div uib-typeahead-popup="" id="typeahead-32-8398" matches="matches" active="activeIdx" select="select(activeIdx, evt)" move-in-progress="moveInProgress" query="query" position="position" assign-is-open="assignIsOpen(isOpen)"
      debounce="debounceUpdate" template-url="sp-typeahead.html" popup-template-url="sp-typeahead-popup.html" class="ng-scope"></div><!-- end ngIf: c.isTypeAheadEnabled && c.showSuggestions -->
    <!-- ngIf: c.isTypeAheadEnabled && !c.showSuggestions -->
    <!-- ngIf: !c.isTypeAheadEnabled -->
    <span class="input-group-btn"> <button name="search" type="submit" class="btn btn-default" title="Search" aria-label="Search" data-toggle="tooltip" data-placement="bottom">
        <!-- ngIf: ::c.options.glyph --><i ng-if="::c.options.glyph" class="fa fa-search"></i><!-- end ngIf: ::c.options.glyph --> </button> </span>
  </div>
</form>

Text Content

Skip to page content
NEW Sitecore Learning Promotions

As an investment to gaining proficiency with your Sitecore solution, Sitecore
Learning is offering exclusive pricing of 25% off all certification exam and
Instructor-led training purchases from April 1st through June 30, 2023. The
instructor-led training promo is customer exclusive. To redeem these offers, use
code "SCLEARNING25" at checkout on the LMS and on Kryterion Webassessor. Please
reach out to globaltraining@sitecore.com with any questions.

MORE
Toggle navigation
   
   
   
 * Documentation
   
   
 * Downloads
   
   
 * Learning
   
   
 * Community
   
   
 * Support
   
   
   
   
   
   
   
   

 * Log in

 * Home
 * 
   
   
 * Security Bulletins
   
 * 
   
   
 * KB1002979
   
   




%KB_NAME - %SHORT_DESCR

Security Bulletin SC2023-002-576660
Switch language
   
 * English
   
 * Japanese
   

Permalink to this article

The information on the latest update


DESCRIPTION

This article reports a Critical vulnerability (SC2023-002-576660) in Sitecore
software for which there is a solution available.

This issue is related to remote code execution vulnerability.

We encourage Sitecore customers and partners to familiarize themselves with the
information that follows and apply the Solution to all affected Sitecore
instances. We also recommend that customers maintain their environments in
security-supported versions and apply all available security fixes without
delay.

The vulnerability impacts the following Sitecore products:

 Sitecore Products  Impact   Experience Manager (XM) Impacted*  Experience
Platform (XP)  Experience Commerce (XС)  Managed Cloud Impacted**  XM Cloud Not
impacted  Content Hub Not impacted  CDP and Personalize (formerly Boxever) Not
impacted  OrderCloud (formerly Four51 OrderCloud) Not impacted  Storefront
(formerly Four51 Storefront) Not impacted  Moosend Not impacted  Send Not
impacted  Discover (formerly Reflektion) Not impacted  Commerce Server Not
impacted

* The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from
9.0 Initial Release to 10.3 Initial Release;
8.2 is also impacted
** Managed Cloud customers who run the affected Experience Platform versions are
affected

This Security Bulletin might receive additional updates as further details are
discovered, and the History Of Updates section will provide a detailed list of
all the changes.

If you want to receive notifications about new Security Bulletins, subscribe to
the Security Bulletins.


SEVERITY DEFINITIONS

To help customers and partners understand the severity of the potential security
vulnerabilities, Sitecore uses the definitions from the Severity Definitions for
Security Vulnerabilities to report security issues.


SOLUTION

To mitigate the vulnerability, it is recommended that you apply the fixes to the
affected Sitecore systems depending on your deployment. Note that the fixes
cover both 568150 and 576660 issues. Follow the installation instructions from
the readme file (when available).

 * For on-prem and PaaS:
   
   * For 9.0 Initial Release: SC Hotfix 576689-1 for 9.0.0.zip
   * For 9.0 Update-1: SC Hotfix 576689-1 for 9.0.1.zip
   * For 9.0 Update-2: SC Hotfix 576689-1 for 9.0.2.zip
   * For 9.1 Initial Release: SC Hotfix 576689-1 for 9.1.0.zip
   * For 9.1 Update-1: SC Hotfix 576689-1 for 9.1.1.zip
   * For 9.2 Initial Release: SC Hotfix 576689-1 for 9.2.0.zip
   * For 9.3 Initial Release: SC Hotfix 576689-1 for 9.3.0.zip
   * For 10.0 Initial Release: SC Hotfix 576689-1 for 10.0.0.zip
   * For 10.0 Update-1: SC Hotfix 576689-1 for 10.0.1.zip
   * For 10.0 Update-2: SC Hotfix 576689-1 for 10.0.2.zip
   * For 10.0 Update-3: SC Hotfix 576689-1 for 10.0.3.zip
   * For 10.1, download and install the corresponding cumulative hotfix
     available in KB1001300
   * For 10.2, download and install the corresponding cumulative hotfix
     available in KB1001439
   * For 10.3, download and install the corresponding cumulative hotfix
     available in KB1002844
     
     
 * For containers:
   * For 10.1, 10.2 and 10.3 running in a containerized environment, the
     cumulative hotfix should be applied according to guidance from the linked
     Cumulative hotfix articles.
   * For 10.0 running in a containerized environment, download and install the
     following container-specific hotfix packages:
     * For 10.0 Initial Release: SC Hotfix 576689-1 container for 10.0.0.zip
     * For 10.0 Update-1: SC Hotfix 576689-1 container for 10.0.1.zip
     * For 10.0 Update-2: SC Hotfix 576689-1 container for 10.0.2.zip
     * For 10.0 Update-3: SC Hotfix 576689-1 container for 10.0.3.zip

Note that the hotfix must be installed on a CM instance and then synced with
other instances using standard development practices. For pre-releases, follow
the guidelines from Sitecore official documentation and the related KB articles.

 

Use the hotfixes above to resolve the issue completely. For the partial
resolution of the issue, apply the patch that follows. The patch fixes only the
known attack vector. The patch can be used for all impacted product versions:

 1. Download and unpack the Sitecore.Support.576660.zip archive.
 2. Place the Sitecore.Support.576660.dll to the \bin folder.
 3. Place the Sitecore.Support.576660.config to the \App_Config\Include\zzz
    folder.

Important note: The patch logs attack cases, if any. Messages similar to the
following can be found in Sitecore logs if the patch blocks the request:

{line} hh:mm:ss WARN  Sitecore.Support.576660: Request processing stopped due to forbidden input. URL: {attack vector URL}

To disable attack logging, change <disableLog> to "true" inside the
Sitecore.Support.576660.config patch file:

<disableLog>true</disableLog>

To avoid vulnerability impact, Sitecore strongly recommends applying hotfixes
rather than installing the patch.


VALIDATION

To verify that the fix has been applied successfully, compare the SHA256 hash of
the files in the \bin folder of your website with the hash values of the files
in the \bin folder of the applied fix. You can compare hash values manually or
using some software tool, like WinMerge.

The SHA256 hash of the assembly can be generated using Windows PowerShell
command Get-FileHash, for example, using the script sample below. Note that the
following script sample is provided as a starting point only and can vary
depending on your needs.

Get-FileHash -Path "path to bin folder\*.dll" -Algorithm SHA256 | Select-Object @{Name='Name';Expression={[System.IO.Path]::GetFileName($_.Path)}}, Hash


FAQ

Does the issue affect all Sitecore XP Core server roles (Content Delivery,
Content Management, Reporting, Processing, EXM Dispatch)?
Yes, the issue impacts all Sitecore XP Core server roles. Apply the solution
above to different roles.

 

If we use Azure Marketplace to install the instance soon, for example 10.3, will
it include the hotfix mentioned above or will we still need to apply it
manually? Are hotfixes automatically rolled in the Azure Marketplace?
No, hotfixes aren't automatically rolled into the Azure Marketplace. Azure
Marketplace supports the same versions that have been released at
dev.sitecore.net. If the issue has not been fixed in the released versions,
apply the above solution to your instance.

 

Can I install an isolated hotfix for the current issue only?
There is no isolated hotfix for the issue. All the fixes are always merged into
a single cumulative hotfix. By applying the latest cumulative hotfix you ensure
you do not lose any fixes that have been installed previously. To understand
what fixes have been included to the cumulative hotfix, see release notes inside
the package. For example, for 10.3, see the "Sitecore 10.3.x rev. xxxxxx
PRE/Documentation/Sitecore.Platform.Releasenotes 10.3.x rev. xxxxxx PRE.md"
file.

 

What can I do if the fix is shown as infected by malware? 
This is a false-positive known issue in Microsoft's SharePoint. Contact Sitecore
Support to resolve the issue.

 

How can I fix the issue for 8.2?
For 8.2.7 and earlier versions you can apply Sitecore.Support.576660 patch from
the Solution section. Considering that 8.2.7 and earlier versions have entered
in Sustaining Support Phase and Sitecore does not provide hotfix packages for
it, Sitecore recommends upgrading to the later versions and applying the
corresponding hotfix.

 

Is it possible to provide more information regarding the vulnerability?
No, it is not possible due to security reasons. In particular, this might lead
to scenario disclosure and cause a severe impact on the customers.



Does the removal of sitecore_xaml.ashx handler from web.config and
sitecore.config on CD instances mitigate the security issue?
No, these steps are not sufficient to mitigate the vulnerability. The cumulative
hotfix from the Solution section must be also installed.

 

Does the vulnerability impact Managed Cloud subscriptions?
The vulnerability impacts both Managed Cloud Standard and Managed Cloud Premium
subscriptions. Apply the solution above to mitigate the vulnerability.

 


HISTORY OF UPDATES

 * 18-Apr-2023: The article was created.
 * 19-Apr-2023: Added the Validation section. Added questions in the FAQ section
   about hotfixes availability in the Azure Marketplace, specific fix for the
   issue, false-positive message in Microsoft SharePoint, and solutions for 8.2.
   Made a minor change in styling.
 * 20-Apr-2023: Added an alternative in the Solution section; added the
   questions in the FAQ section about the possibility to add more details
   regarding the vulnerability in the article, and about the removal of
   sitecore_xaml.ashx.
 * 21-Apr-2023: Added the question about Managed Cloud impact in the FAQ
   section; added a note on hotfix deploying in the Solution section.
 * 25-Apr-2023: Changed the link to the alternative patch in the Solution
   section; added a note about logging and disabling it.

Affected Software:
Experience Platform
Applies To:
9.0 rev. 171002 (Initial Release) +
Reference Number:
576660
Publication Date:
April 18, 2023
Last Updated:
May 2, 2023


--------------------------------------------------------------------------------

Helpful?
Yes No


--------------------------------------------------------------------------------



© Copyright 2023, Sitecore. All Rights Reserved Trust Center Legal Hub Privacy
Your privacy choices Own the Experience®
We use cookies to provide functionality, to analyze our traffic and to enable
social media functionality. Our Cookie Policy provides more information on how
we use cookies. By using this website, you agree to the terms of our Cookie
Policy.