Sitecore security updates details

Sitecore Security Bulletin SC2016-003-136430 

Issue Details: Unable to install Sitecore Experience Accelerator

Affected Sitecore Version: Sitecore 7.0 - 8.2

Action: Install Sitecore Powershell Extension 5.1

Impact of this issue: No impact on other Sitecore module or any functionality if we install the sitecore Powershell extension

What will happen if we didn’t apply this patch: Sitecore Experience Accelerator is depend upon Sitecore Powershell extension. So if you are willing to use SXA then this is mandatory to install.

Any workaround available?: No

---------------------------------------------------------------------------------------------------------------

Security Bulletin SC2016-001-128003

Issue Details: If you are running a clustered environment (multiple Content Delivery instance groups in multiple locations) and have extended the session state to include custom object types, you will need to include list of other Sitecore defined types within the whitelist.

Affected Sitecore Version: Sitecore 7.5—8.2

Action: Install Hotfix and update serialization config

Impact of the issue: The vulnerability has been fixed in Sitecore XP 8.2 Update-1. Sitecore xDB Cloud environments are not affected as appropriate fix has already been implemented.

What will happen if we didn’t apply this patch: In Sitecore 8.2 Update 1, a list of allowed serializable types is included out of the box. You can find the list in the configuration file Sitecore.Analytics.SessionSerialization.config.

Note: that the security patch SC2016-001-128003 had the allowed types configured in the configuration file Sitecore.SessionSerialization.config instead (without the Analytics suffix). So if you upgrade your instance to 8.2 Update 1 from an earlier version with the patch applied, you will need to make sure the following files are removed from your solution:

\App_Config\Include\Sitecore.SessionSerialization.config

\bin\Sitecore.SessionSerialization.dll

As well as that the following file is updated with the 8.2u1 version:

\sitecore\service\Analytics\Session\PushSession.ashx

If you do not extend the whitelist to include your custom session state types, you may receive an HTTP status error of 400 (Bad Request) and an entry in the Sitecore log in the following format:

WARN Binding for type MyCustomType from assembly MyCustomAssembly is not allowed.

This message indicates that you have a type that is not currently in the <allowedTypes> node.

To remedy this issue, add your custom type to the <allowedTypes> node, following the convention of the other types defined in Sitecore.SessionSerialization.config.

If you are not running a clustered environment, you do not need to extend the whitelist. This applies even when including custom object types in the session state or using Sitecore modules.

Any workaround available?: No

---------------------------------------------------------------------------------------------------------------

Security Bulletin SC2016-002-136135

Issue Details: Sitecore Icon paths generated begin with "/~/icon/" rather than "/temp/IconCache".

Affected Sitecore Version: Sitecore 7.2—8.2

Action: Install Hotfix and update web.config

Impact of the issue: If you do not apply the patch then Icon paths will generate begin with "/~/icon/" rather than "/temp/IconCache"

What will happen if we didn’t apply this patch: Sitecore icon cache images will not display.

Any workaround available?: No

----------------------------------------------------------------------------------------------------------

Security Bulletin SC2019-002-312864

Issue Details: Allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

Affected Sitecore Version: Sitecore 7.0—8.2

Action: Install Hotfix - SC Hotfix 313001-1 Security.AntiCsrf 1.0.0

Impact of the issue: The module is designed to protect WebForms from CSRF attacks. By default, it is configured to protect Sitecore interfaces (Sitecore shell) only. However, it supports configuration and can be enabled to protect frontend solutions.

Since Sitecore shell site is disabled on Content Delivery servers the module can safely be disabled or completely removed without any implications. If you have Sitecore backend enabled on Content Delivery servers the module can be configured to skip processing requests to some specific locations. Just add a node to Sitecore.AntiCsrf.config file and specify url to filter.

What will happen if we didn’t apply this patch: Allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

Any workaround available?: If full solution cannot be applied right away, the following temporary workaround can be used on all affected Sitecore instances to secure them from the vulnerability.

To temporary address the vulnerability, deny access to the \Website\sitecore\shell folder on all Sitecore instances in all your Sitecore environments.

Go to your Sitecore web application in the Internet Information Services (IIS) Manager application.

Select \sitecore\shell folder.

Click the .NET Authorization Rules:

Click Add Deny Rule… in the Actions panel:

Select All users and OK:

Note: Upon implementing this workaround, content editing functionality will not be available in your Sitecore environments.

If content editing functionality cannot be temporary disabled, as an alternative, it is possible to configure IP-based security restrictions for \Website\sitecore\shell folder to block all access for external users and only allow access from trusted IP addresses which malicious actor is not able to use. For instructions on how to configure IP-based security restrictions, see http://www.iis.net/ConfigReference/system.webServer/security/ipSecurity.