Critical Sitecore Vulnerability Resolved: Immediate Patch Required for Unauthenticated File Read Risk
Critical Vulnerability in Sitecore Software
(SC2024-001-619349)
Sitecore has identified and resolved a critical
vulnerability (SC2024-001-619349) that poses a risk of unauthenticated
arbitrary file reads. A patch is now available to address this issue, and
Sitecore strongly urges all customers and partners to promptly apply the fix to
all affected instances.
Impacted Products
The vulnerability affects the following Sitecore products:
- Experience
Manager (XM)
- Experience
Platform (XP)
- Experience
Commerce (XC)
- Managed
Cloud
Non-Impacted Products
The following Sitecore products are not affected by this
vulnerability:
- XM
Cloud
- Content
Hub
- CDP
and Personalize (formerly Boxever)
- OrderCloud
(formerly Four51 OrderCloud)
- Storefront
(formerly Four51 Storefront)
- Moosend
- Send
- Discover
(formerly Reflektion)
- Search
- Commerce
Server
Affected Versions
The vulnerability impacts all Experience Platform topologies
(XM, XP, XC) from version 8.0 Initial Release to 10.4 Initial Release. This
includes Content Management (CM) and Standalone instances, PaaS solutions, and
containerized solutions. Managed Cloud customers running the affected
Experience Platform versions are also impacted, specifically CM and Standalone
Managed Cloud instances.
Solution
To mitigate the issue, Sitecore recommends applying the
following patch to affected systems:
- For
Versions 9.1 to 10.4 Initial Release:
- Download
and unpack the Sitecore.Support.619349.zip archive.
- Place
the Sitecore.Support.619349.dll in the \bin folder.
- Place
the Sitecore.Support.619349.config in the \App_Config\Include\zzz folder.
- For
Versions 9.0.2 and Earlier:
- Download
and unpack the Sitecore.Support.61934-8.0.0-9.0.2.0.zip archive.
- Place
the Sitecore.Support.619349.dll in the \bin folder.
- Place
the Sitecore.Support.619349.config in the \App_Config\Include\zzz folder.
Sitecore is currently preparing hotfixes, which will be
available soon.
Important Information
- The
vulnerability impacts only the Content Management (CM) and Standalone
roles within Sitecore XP.
- In
the Azure Marketplace, hotfixes are not automatically rolled out and must
be applied manually.
- Versions
9.0.2 and earlier have entered the Sustaining Support Phase, and Sitecore
does not provide hotfix packages for them. Therefore, Sitecore recommends
upgrading to later versions and applying the corresponding hotfix.
For more information, please visit this Sitecore KB article
Comments
Post a Comment