Updated:
Status:
CVEs:
Sitecore products are vulnerable to a ViewState deserialization vulnerability. This issue occurs when publicly documented machine keys are reused in production deployments. Upon exploitation of this vulnerability, an attacker can craft malicious ViewState payloads to execute code on the system.
Who is affected?
All versions of these products are potentially vulnerable:
- Sitecore Experience Manager (XM)
- Sitecore Experience Platform(XP)
- Sitecore Experience Commerce (XC)
- Sitecore Managed Cloud
What can I do?
To mitigate this vulnerability, ensure default machine keys are not in use and regularly rotate machine keys.
Configuration changes are required to resolve this vulnerability. Deployments using the default, publicly documented machine keys must rotate their machine keys to resolve this vulnerability. Follow the guidance provided by Sitecore on how to rotate and manage machine keys.
To maintain the confidentiality of machine keys, customers should ensure that access to the web.config file is restricted and any machine keys contained in it are encrypted.
For more information from Sitecore, see:
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities.
Updates
Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated as new information about it and related security coverage becomes available.
