Who is affected?
All versions of Umbraco from 4.11.9 and up are affected by this vulnerability.
Thus, all sites should have the recommended patch or workaround implemented when it is released next week.
How to prepare?
Because we are looking at a patch upgrade or file replacements, we expect the fix to be rather straightforward and to only require minimal time per project.
As this is a security patch, we highly advise you to put aside resources to get this fixed. This is also why we give you this information before we release the patch publicly.
How to upgrade on March 17th?
If you’re using Umbraco versions 8.5.x or 7.15.x then you’ll be able to upgrade to a new patch version of these releases the way you would normally upgrade.
For sites running any other version, you have two options:
- You can upgrade to the latest version within your major (8.5.5 or 7.15.4).
- You can apply a workaround patch to avoid having to upgrade your site right now.
How do you check which version you are on? Reach out with this blog post to your technical contact for your Umbraco site and they will be able to take care of the necessary precautions.
Where do I find the necessary information on the 17th?
On March 17th at 7 AM UTC, (find the time in your timezone here) a post will be released here on the Umbraco blog with a detailed description on how to fix this security issue.
We will create a dedicated forum post on our community site; Our.Umbraco, that we will link to in the blog post published next week.
What about sites on Umbraco Cloud?
As mentioned in the intro, all Umbraco Cloud sites will automatically get the security fix applied on March 17th between 7 AM - 9 PM UTC.
Umbraco Cloud sites running 8.5.x and 7.15.x, will automatically be upgraded to 8.5.5 and 7.15.4. Cloud sites running other versions will automatically get a fix implemented and no Umbraco upgrades will be applied.
Thus, no action is needed for Umbraco Cloud users.
Due to the severity of this issue we have chosen not to disclose any further details yet. This is to prevent any exploitation of the vulnerability before the patch is released. Currently, we have no indication that this vulnerability is being exploited in the wild.
The next update on this issue will be published on the Umbraco blog on March 17th at 7 AM UTC.