Umbraco

Security advisory: Security patches for Umbraco Forms ready on July 20th, 2021, at 7 AM UTC

This is a heads-up so you can prepare for action

Andy Butland
Written by Andy Butland

A newly found, but not publicly known, security issue in Umbraco Forms could lead to a remote code execution attack and/or arbitrary file deletion. We have a fix ready which we will release on July 20th, 2021, at 7 AM UTC. This blog post is a heads-up as we highly advise you to be ready to apply the patch release. No action is required for Umbraco Cloud sites as they will be upgraded automatically on July 20th.

Patches are now available: https://umbraco.com/blog/security-advisory-20th-of-july-2021-patch-is-now-available/

Update: Since publishing the information we have also identified that the issue partially exists in Contour 3 (the predecessor to Umbraco Forms) and a patch is now available to help address this.

Who’s affected?

Versions affected:

All versions of Umbraco Forms v4.0.0 and up are affected by this vulnerability.

Thus, all sites should have the recommended patch implemented when it is released next week.

How do I prepare?

Because we are looking at a patch upgrade, we expect the fix to be rather straightforward and to only require minimal time per project. 

As this is a security patch, we highly advise you to put aside resources to get this fixed. This is also why we give you this information before we release the patch publicly.

How to upgrade on July 20th?

If you’re using Umbraco Forms versions 8, 7 and 6 you will be able to upgrade to a new patch version of your current minor version, no matter what minor version you are using now. For example:

  • You are using Forms 8.1.x (8.1.0, 8.1.2 or 8.1.3)  right now, you will be able to upgrade to 8.1.4
  • You are using Forms 7.5.x (7.5.0, 7.5.1, 7.5.2 or 7.5.3) right now, you will be able to upgrade to 7.5.4. 

And so on, so for each minor version of Umbraco Forms 6, 7, or 8, there will be a patch version to upgrade to.

For sites running Umbraco Forms version 4 will need to upgrade to the latest version of v4.

  • We are releasing versions 4.4.8 on July 20
  • If you’re on a (much) lower version than 4.4.7 right now then you can prepare by upgrading to 4.4.7 in the coming days, to make sure everything still works and that the final upgrade to 4.4.8 is as easy as possible.

How do you check which version you are on? Reach out with this blog post to your technical contact for your Umbraco site and they will be able to take care of the necessary precautions. 

Where do I find the necessary information on July 20th?

On July 20th at 7 AM UTC, (find the time in your timezone here) a post will be released here on the Umbraco blog with a detailed description of how to fix this security issue.

We will create a dedicated forum post on our community site; Our.Umbraco, which we will link to in the blog post published next week.  

What about sites on Umbraco Cloud?

As mentioned in the intro, all Umbraco Cloud sites will automatically get the security fix applied on July 20th between 7 AM - 9 PM UTC.

  • Umbraco Cloud sites running Forms v8 and v7 will automatically be upgraded to the latest patch release for the minor version they are currently on. 
  • Umbraco Cloud sites running Forms v6 will be automatically upgraded to version 6.0.9
  • Umbraco Cloud sites running Forms v4 will be automatically upgraded to version 4.4.8

Thus, no action is needed for Umbraco Cloud users. 

Acknowledgement

The issue was discovered and reported by Gary O’Leary-Steele from AppCheck. We would like to thank Gary and AppCheck for their discretion in reporting the issue and help in confirming that it will be addressed correctly with the patches. Furthermore, it is worth highlighting the speed with which they have responded to questions and their help in planning the timeline for rollout and communication. 

Severity details:

Due to the severity of this issue, we have chosen not to disclose any further details yet. This is to prevent any exploitation of the vulnerability before the patch is released. Currently, we have no indication that this vulnerability is being exploited in the wild.

The next update on this issue will be published on the Umbraco blog on July 20th at 7 AM UTC.