Who is affected?
As we mentioned in the Security Advisory published on September 14th, the following versions of Umbraco are affected:
- 4.11.9 - 4.11.10
- 6.0.6 - 6.2.6
- 7.0.0 - 7.12.2
The vulnerability exists in an external library to Umbraco called Client Dependency Framework (CDF), versions 126.96.36.199 - 1.9.6. In general it is recommended that you use the very latest version of CDF so that you know that you're secure and benefit from the latest bug fixes and performance improvements.
As advised in last week’s Security Advisory, we highly recommend you make time to fix this issue. If you are not technically responsible for your site, please make sure to reach out to the responsible person/agency so they can take the necessary action.
This advisory is the result of a private penetration test, we have no indication or reports that the vulnerability is currently being exploited in the wild.
The vulnerability is exploitable by any unauthenticated user requesting resources from your public website, a vulnerability of type “Local File Inclusion”. The resources that can be requested includes configuration files and other sensitive internal files not intended for public access.
How to update?
You can either do a manual update, update via NuGet or upgrade to newest version of Umbraco. Umbraco Cloud users will automatically be upgraded.
You’ll need to copy the appropriate new version (1.9.7) below of CDF into the bin folder of your website.
- ClientDependency.Core.dll (version 1.9.7, compatible with .net 4.5)
- ClientDependency.Core.dll (version 1.9.7, compatible with .net 4.0)
- ClientDependency.Core.dll (version 1.9.7, compatible with .net 3.5)
This version is fully backwards compatible with previous versions so you don't need to worry about breaking anything.
To avoid exposure of private information in cached files, you will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade (make sure to make a backup first).
Updated with NuGet
Run the following command in your Package Manager Console in Visual Studio:
Update-Package ClientDependency -Version 1.9.7
Alternatively you can use the NuGet UI to search for the ClientDependency package and update it to the latest version.
To avoid exposure of private information in cached files, you will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade.
New versions of Umbraco
We are shipping new versions of Umbraco (7.10.5, 7.11.2, and 7.12.3) with the vulnerability fixed for new installs of Umbraco or upgrades from 7.10+. They will be ready for download at around 07:30 UTC.
If you upgrade, please make sure to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade to avoid exposure of private information in cached files.
If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.
We want to thank Element78 and ProCheckUp for responsibly disclosing this issue with us.
We apologize for the inconvenience of this security issue and assure you that we continue to handle security issues with the appropriate attention and urgency.