Blue Background 01

Security advisory: Update ClientDependency immediately

Sebastiaan Author
Written by Sebastiaan Janssen

A newly found security issue could lead to disclosure of private information. We have provided a fix for the affected sites. Please make sure your sites are updated immediately to fix the issue.

Umbraco Cloud sites and sites on version 7.2.3 and above are not affected.

Impact: High, requires immediate action. This advisory is the result of a private penetration test, we have no reports that the bug is being exploited in the wild.

The following Umbraco versions needs to be updated:

  • 4.11.9 - 4.11.10
  • 6.0.6 - 6.2.6
  • 7.0.0 - 7.2.2
  • any Umbraco website using ClientDependency version 1.8.2.1 or lower


If you have a different Umbraco version than the ones listed above but you have version 1.8.2.1 of ClientDependency running in your website then you also need to update.

Update, Feb 16 16:57 GMT+1: If you have ever upgraded your site from a version below 7.2.3 then you should check the version of ClientDependency.Core.dll (it should be 1.8.3.1 or higher) and  you have to go into your live environment and find either the ~/App_Data/ClientDependencyfolder or the ~/App_Data/Temp/ClientDependency folder and DELETE all the files in that folder, old cached files may still expose private information if you leave them there.

Does my site need to be updated?

If you are uncertain about what version you are running, get in touch with the person / agency that built your Umbraco site and let them help you. It is an easy fix, but we only recommend experienced Umbraco users to do the update.

How to update?

Manual

If you are NOT using NuGet then you need to copy the new version of ClientDependency.Core.dll (version 1.8.3.1, compatible with .net 4.5), ClientDependency.Core.dll (version 1.8.3.1, compatible with .net 4.0) or ClientDependency.Core.dll (version 1.8.3.1, compatible with .net 3.5) into the bin folder of your website.

This version is fully backwards compatible with version 1.8.2.1 so you don't need to worry about breaking anything.

Note: After copying in the new version you have to go into your live environment and find either the ~/App_Data/ClientDependency folder or the ~/App_Data/Temp/ClientDependency folder and DELETE all the files in that folder, old cached files may still expose private information if you leave them there.

NuGet

If your ARE using NuGet then the following instructions apply. Run the following command in your Package Manager Console in Visual Studio:

Update-Package ClientDependency -Version 1.8.3.1

If you don't specify the version in this command you will be upgraded to the latest version.

Alternatively you can use the NuGet UI to search for the ClientDependency package and update it to either version 1.8.3.1 or the latest version.

NuGet might update your web.config like Andy Landsdowne points out, you can revert those changes to the web.config file.

Note: After upgrading to the new version you have to go into your live environment and find either the ~/App_Data/ClientDependencyfolder or the ~/App_Data/Temp/ClientDependency folder and DELETE all the files in that folder, old cached files may still expose private information if you leave them there.

 

Questions?

If you have additional questions not covered in this blog post please use the forum post on Our Umbraco dedicated to this topic. You can subscribe to email notifications for this forum post (hit the "follow" button at the top right) to receive updates.

 

Details about the issue

Summary: A library used by Umbraco contains a security flaw

Fix: Replace a single assembly file or run a NuGet update command. Completely backwards compatible.

The newly discovered vulnerability is no longer present in version 1.8.3.1 of ClientDependency and we advise you to make sure that you are using at least version 1.8.3.1. Of course, to get the most stable version with extra bug fixes you should upgrade to the latest stable version (1.9.2).

 

We want to thank Steve Smith from BMT Group Ltd for responsibly disclosing this issue with us.

We apologize for the inconvenience. Security issues are of the highest priority for us as we recognize that the trust in Umbraco depends heavily on this.

 

If you want to know more about how we handle security in Umbraco, you can read more about Umbraco Security here.

 

Loved by developers, used by thousands around the world!

One of the biggest benefits of using Umbraco is that we have the friendliest Open Source community on this planet. A community that's incredibly pro-active, extremely talented and helpful.

If you get an idea for something you would like to build in Umbraco, chances are that someone has already built it. And if you have a question, are looking for documentation or need friendly advise, go ahead and ask the Umbraco community on Our.

Number of active installs
502567
Number of active members in the community
221745
Known free Umbraco packages available
1211

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers sent directly to your inbox