Critical Vulnerability in Sitecore Software (SC2024-001-619349)
Sitecore has identified and resolved a critical vulnerability (SC2024-001-619349) that poses a risk of unauthenticated arbitrary file reads. A patch is now available to address this issue, and Sitecore strongly urges all customers and partners to promptly apply the fix to all affected instances.
Impacted Products
The vulnerability affects the following Sitecore products:
- Experience Manager (XM)
- Experience Platform (XP)
- Experience Commerce (XC)
- Managed Cloud
Non-Impacted Products
The following Sitecore products are not affected by this vulnerability:
- XM Cloud
- Content Hub
- CDP and Personalize (formerly Boxever)
- OrderCloud (formerly Four51 OrderCloud)
- Storefront (formerly Four51 Storefront)
- Moosend
- Send
- Discover (formerly Reflektion)
- Search
- Commerce Server
Affected Versions
The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from version 8.0 Initial Release to 10.4 Initial Release. This includes Content Management (CM) and Standalone instances, PaaS solutions, and containerized solutions. Managed Cloud customers running the affected Experience Platform versions are also impacted, specifically CM and Standalone Managed Cloud instances.
Solution
To mitigate the issue, Sitecore recommends applying the following patch to affected systems:
- For Versions 9.1 to 10.4 Initial Release:
- Download and unpack the Sitecore.Support.619349.zip archive.
- Place the Sitecore.Support.619349.dll in the \bin folder.
- Place the Sitecore.Support.619349.config in the \App_Config\Include\zzz folder.
- For Versions 9.0.2 and Earlier:
- Download and unpack the Sitecore.Support.61934-8.0.0-9.0.2.0.zip archive.
- Place the Sitecore.Support.619349.dll in the \bin folder.
- Place the Sitecore.Support.619349.config in the \App_Config\Include\zzz folder.
Sitecore is currently preparing hotfixes, which will be available soon.
Important Information
- The vulnerability impacts only the Content Management (CM) and Standalone roles within Sitecore XP.
- In the Azure Marketplace, hotfixes are not automatically rolled out and must be applied manually.
- Versions 9.0.2 and earlier have entered the Sustaining Support Phase, and Sitecore does not provide hotfix packages for them. Therefore, Sitecore recommends upgrading to later versions and applying the corresponding hotfix.
To ensure the security of your Sitecore instances, apply the necessary patches immediately and keep your environments up to date with the latest security fixes. Stay vigilant and proactive in maintaining the integrity of your Sitecore deployments.
For more information, please visit this Sitecore KB article