We are trying to contact Sitefinity to check status about the latest security vulnerability in Sitefinity due to cryptographic weakness [CVE-2017-9248]. As our version is older, we have to verify the steps we have taken is valid and is that enough for the security issue.
Our Sitefinity version is 3.7.2136
and what we did is, we prevented the access to Dialog Handler as suggested in http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness#prevent-access
by removing the handler in the web.config file and also changed Machine keys.
Can you please let us know if that will be enough for now? Is there a way to measure this and make sure that security is improved?
1 Answer, 1 is accepted
0
Hello Suresh,
Yes, I can confirm that for version 3.7 the steps you have taken are the correct ones to address the CVE-2017-9248 cryptographic weakness. The KB article you have referenced also contains information on how to verify whether the dialog handler has been properly disabled, so you can follow this set of instructions to confirm the successful operation.
At this point this is all the official information we have disclosed and can discuss in public. If you prefer to continue the discussion, or have further follow-up questions, which might necessitate private communication, we would be glad to assist you via our phone or support ticket channels, which you can find listed on the Sitefintiy Support center page.
Regards,
Boyan Barnev
Progress Telerik
Yes, I can confirm that for version 3.7 the steps you have taken are the correct ones to address the CVE-2017-9248 cryptographic weakness. The KB article you have referenced also contains information on how to verify whether the dialog handler has been properly disabled, so you can follow this set of instructions to confirm the successful operation.
At this point this is all the official information we have disclosed and can discuss in public. If you prefer to continue the discussion, or have further follow-up questions, which might necessitate private communication, we would be glad to assist you via our phone or support ticket channels, which you can find listed on the Sitefintiy Support center page.
Regards,
Boyan Barnev
Progress Telerik
Do you want to have your say when we set our development plans?
Do you want to know when a feature you care about is added or when a bug fixed?
Explore the
Telerik Feedback Portal
and vote to affect the priority of the items