CVE-2021-42237, a remote code execution vulnerability in Sitecore Experience Platform (Sitecore XP), has been found to be actively being used.
Relates to a remote code execution vulnerability due to insecure deserialization of the Report.ashx file. This file was used to drive the Executive Insight Dashboard (Silverlight report) which was deprecated in the 8.0 Initial Release.
We recommend that you maintain a security-aware version of your environment and apply all available security fixes without delay.
Sitecore XP is an enterprise-level content management system (CMS) with data analytics capabilities that has been adopted by well-known companies such as American Express, IKEA, Carnival Cruise Lines, L’Oréal, and Volvo.
On October 13, 2021, a patch was released for a remote code execution vulnerability (CVE-2021-42237) in the Sitecore Experience Platform.
Cybersecurity firm Asset Note has released a technical report on a vulnerability that allows attackers to use vulnerability details to create exploits and proactively exploit vulnerable websites.
A vulnerability in certain versions of the Sitecore Experience Platform system is being actively exploited. Affected Australian organizations should apply any available security updates
The vulnerable Sitecore XP component used in the attack is Report.ashx, which displays analytics, engagement, and SEO.
This issue is related to a remote code execution vulnerability due to incomplete deserialization of the Report.ashx file. This file was used to drive the Executive Insight Dashboard (in Silverlight reports), which was deprecated in the 8.0 Initial Release
This vulnerability does not require authentication and allows a remote attacker to exploit a vulnerable This vulnerability does not require authentication and allows a remote attacker to exploit the vulnerable server and take full control of it.
The versions of Sitecore XP affected by this RCE vulnerability are as follows.
- Sitecore XP 7.5 Initial Release – Sitecore XP 7.5 Update-2
- Sitecore XP 8.0 Initial Release – Sitecore XP 8.0 Update-7
- Sitecore XP 8.1 Initial Release – Sitecore XP 8.1 Update-3
- Sitecore XP 8.2 Initial Release – Sitecore XP 8.2 Update-7
The unaffected versions are as follows
- Sitecore XP versions 7.2 Update-6 or earlier
- Sitecore XP versions 9.0 Initial Release or later
This vulnerability affects all versions of Sitecore XP.
This includes single-instance environments, multi-instance environments, managed cloud environments, and all Sitecore server roles exposed to the Internet, including content delivery, content editing, reporting, and processing.
The solution is to upgrade to a secure version, ideally Sitecore XP 9.0 or higher.
You can also mitigate this vulnerability by removing the Report.ashx file from “/sitecore/shell/ClientBin/Reporting/Report.ashx” on all server instances.
How to solve it
The following methods are available to fix this vulnerability.
For Sitecore XP 7.5.0 to Sitecore XP 7.5.2, please do one of the following.
- Upgrade Sitecore XP instances to Sitecore XP 9.0.0 or later.
- Remove the /sitecore/shell/ClientBin/Reporting/Report.ashx file from all server instances for Executive Insight Dashboard needs.
- Upgrade Sitecore XP instances to Sitecore XP 8.0.0 to Sitecore XP 8.2.7 versions and apply the following solutions.
For Sitecore XP 8.0.0 – Sitecore XP 8.2.7, remove the Report.ashx file in /sitecore/shell/ClientBin/Reporting/Report.ashx from all server instances.