Thursday, February 5, 2015

Security alert - Update ClientDependency immediately

Update: this information is now obsolete, a new vulnerability was found and a new update is required.

Since Umbraco 4.5 we have shipped with the ClientDependency Framework. You may not have used it yourself but the Umbraco backoffice relies on it pretty heavily and a security flaw has been found.

Impact: High, take immediate action (except sites running on Umbraco as a Service)
Versions affected:
v4.5 - 7.1.9
Summary: A security issue in a library used by Umbraco contains a flaw.
Fix: Replace a single assembly file or run a NuGet update command. Completely backwards compatible.

We have been alerted by security company Dionach that there was a security problem with this library and we promptly proceeded to fix it.
We will not reveal the details of the security problem at this time to give everybody a chance to update their sites and eliminate the problem.

The problem affects Umbraco versions 4.5.0 through 7.1.9. It is absolutely necessary that you update live sites in this Umbraco version range with a new version of ClientDependency.
A minor security problem exists in 7.2.0 and 7.2.1 but this is only exploitable under very special circumstances. You don't have to rush an upgrade but it's advisable to do it when you get a chance.

How to update?

Manual

If you are NOT using NuGet then it's as easy as copying the new version of ClientDependency.Core.dll (compatible with .net 4.5), ClientDependency.Core.dll (compatible with .net 4.0)or ClientDependency.Core.dll (compatible with .net 3.5) into the bin folder of your website. This version is fully backwards compatible with all earlier versions of ClientDependency so you don't need to worry about breaking anything. If you are using the nuPickers package in Umbraco 7.x some configuration changes will be required, see below for details.

NuGet

If your ARE using NuGet then the following instructions apply:

For Umbraco versions 4.7.2 until 6.1.2.2 - run:

Install-Package ClientDependency

in your Package Manager Console. Alternatively you can use the NuGet UI to search for the ClientDependency package and install it.

For Umbraco version 6.1.3, 6.1.4 and 6.1.5 - run:

Update-Package ClientDependency

in your Package Manager Console. Alternatively you can use the NuGet UI to search for the ClientDependency package and update it. Note: this will upgrade your Umbraco installation to version 6.1.6! This is a good thing, 6.1.6 fixes quite a few bugs. Make sure to answer "No" when NuGet asks you if you want to overwrite config files.

For Umbraco version 6.1.6 and higher - run:

Update-Package ClientDependency

in your Package Manager Console. Alternatively you can use the NuGet UI to search for the ClientDependency package and update it.

All available zip files on our Downloads page have been updated with the new version of ClientDependency and NuGet installs will also automatically get the latest, secure version.

If you're running on Umbraco as a Service you're not affected by this security issue.

Update: if you are using the nuPickers package in Umbraco 7.x some additional configuration changes will be required

Due to the way that nuPickers loads in request based dependencies for their components, you will need to update your ~/config/ClientDependency.config file and white list your domains. You can find the details on this forum post.

Want to be updated on everything Umbraco?

Sign up for the Umbraco newsletter and get the latest news and special offers send directly to your inbox