If you are uncertain about how to handle this advisory, reach out to your technical contact/web agency for your Umbraco site and provide them with a link to this blog post and they will be able to take the necessary precautions.
Who is affected?
As we mentioned in the Security Advisory published on March 12th, the following versions of Umbraco are affected:
- 4.11.9 - 4.11.10
- 6.0.6 - 6.2.6
- 7.0.0 - 7.15.3
- 8.0.0 - 8.5.4
The vulnerability exists in an external library to Umbraco called Client Dependency Framework (CDF), versions 1.8.2.1 - 1.9.8.
In the latest version of CDF; version 1.9.9, this vulnerability has been fixed. In general, it is recommended that you use the very latest version of CDF so that you know that you're secure and benefit from the latest bug fixes and performance improvements.
As advised in last week’s Security Advisory, we highly recommend you make time to fix this issue to which you’ll find instructions below.
Impact
This advisory is the result of a private penetration test. We have no indication or reports that the vulnerability is currently being exploited in the wild.
The vulnerability is exploitable by any unauthenticated user requesting resources from your public website. The resources that can potentially be requested includes configuration files and other sensitive internal files not intended for public access.
This is why we categorise this as a high-severity security issue.
Automatic fix on Umbraco Cloud
All projects on Umbraco Cloud will be automatically patched today (March 17th, 2020 between 7 AM - 9 PM UTC).
All Umbraco Cloud projects running 8.5.x are being upgraded to 8.5.5 and projects running 7.15.x are being upgraded to 7.15.4. This also means that from today, all new created projects on Umbraco Cloud will automatically have the security fix implemented.
Projects running versions prior to 8.5 or 7.15 are receiving a patched version of Client Dependency to secure them as well. Thus, no action is needed for Umbraco Cloud users.
Updating manually outside of Umbraco Cloud
There are several ways to update your sites outside of Cloud depending on what is appropriate for your setup. You can update manually, through NuGet or by updating to the latest version of Umbraco.
Manual update
You’ll need to copy the appropriate new version (1.9.9) below of Client Dependency Framework into the bin folder of your website.
This version is fully backwards compatible with previous versions so you don't need to worry about breaking anything.
To avoid exposure of private information in cached files, you will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade. Remember to do this on each publicly available environment (staging, live, etc). Make sure to back up the cached files if you want to collect evidence of a possible breach.
For most people, the files are stored in ~/App_Data/Temp/ClientDependency, but it is possible that they are stored somewhere else (on Azure specifically). Make sure to verify the location, examples on how to do that are available in the forum post about this security update: https://our.umbraco.com/forum/using-umbraco-and-getting-started/101529-security-update-for-march-2020
Update with NuGet
Run the following command in your Package Manager Console in Visual Studio:
Update-Package ClientDependency -Version 1.9.9
Alternatively, you can use the NuGet UI to search for the ClientDependency package and update it to the latest version (1.9.9).
To avoid exposure of private information in cached files, you will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade. Remember to do this on each publicly available environment (staging, live, etc). Make sure to back up the cached files if you want to collect evidence of a possible breach.
For most people, the files are stored in ~/App_Data/Temp/ClientDependency, but it is possible that they are stored somewhere else (on Azure specifically). Make sure to verify the location, examples on how to do that are available in the forum post about this security update: https://our.umbraco.com/forum/using-umbraco-and-getting-started/101529-security-update-for-march-2020
New versions of Umbraco
We have shipped new versions of Umbraco (7.15.4 and 8.5.5) with the vulnerability fixed for new installs of Umbraco or upgrades. These versions are available now both on Umbraco Cloud, Our Umbraco and on NuGet
Link to download versions:
If you’re using NuGet you can run the commands or use the NuGet UI to update to either 7.15.4 (if you’re using Umbraco version7) or 8.5.5 (if you’re using Umbraco version8).
To avoid exposure of private information in cached files, you will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade. Remember to do this on each publicly available environment (staging, live, etc). Make sure to back up the cached files if you want to collect evidence of a possible breach.
For most people, the files are stored in ~/App_Data/Temp/ClientDependency, but it is possible that they are stored somewhere else (on Azure specifically). Make sure to verify the location, examples on how to do that are available in the forum post about this security update: https://our.umbraco.com/forum/using-umbraco-and-getting-started/101529-security-update-for-march-2020
Note: these versions are exactly the same as versions 7.15.3 and 8.5.4 but the dependency on CDF has been updated to the latest version. There are no other changes between these versions, only CDF has been updated.
Details about the security issue
In order to give everybody a fair chance at updating their sites and be safe, we have chosen not to share details on what exactly the security problem is and the updated code has not yet been shared on GitHub.
In respect to others, and in order to keep as many sites safe as possible, we therefore also ask for your discretion if you choose to discuss this issue publicly.
Questions?
If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.
Credits
We want to thank Boik Su for responsibly disclosing this issue with us.
We apologize for the inconvenience of this security issue and assure you that we continue to handle security issues with the appropriate attention and urgency.