Encryption setting for new version

4 posts, 0 answers
  1. Benjamin
    Benjamin avatar
    20 posts
    Member since:
    May 2018

    Posted 24 Jun 2020 Link to this post

    I understand that i need to add the 3 app settings for the encryption key, but would like to check where do i add the decryption key? 

    after patch the dlls and adding the keys to web.config, is there any requirement to do a code change?

    i am currently using version 2015.2.729.40

  2. Rumen
    Admin
    Rumen avatar
    14459 posts

    Posted 25 Jun 2020 Link to this post

    Hi Benjamin,

    Thank you for your questions.

    We just send an email to our community and we strongly advise you to upgrade to at least version R2 2020.

    Here are the email contents:

    We are writing to update you on the recent Blue Mockingbird malware attacks that have been talked about in the press and on social media, affecting many web applications, including Microsoft Information Services, SharePoint and Citrix, in addition to Telerik UI for ASP.NET AJAX. The vulnerability that Blue Mockingbird exploits is not new. It was identified and fixes were provided to our customers and partners in 2017 and 2019. In light of the recent attacks however, we are again updating you on where those fixes can be found and implemented.  

    The attack often uses the known vulnerabilities CVE-2017-11317 and CVE-2019-18935 to upload and execute the malicious software to software versions that have not been upgraded to the latest version of the Telerik UI for ASP.NET AJAX (also known as RadControls for ASP.NET AJAX). 

    To protect against this vulnerability, we recommend that you upgrade to R1 2020 (version 2020.1.114) or later. If you’re unsure if this impacts you, go to this page

    You can find more information in the following dedicated articles: 

    CVE-2019-18935 - Allows JavaScriptSerializer Deserialization 

    CVE-2017-11317 - Unrestricted File Upload 

    Also, if you need to upgrade to a more recent version, please follow the instructions in our documentation.  

    All customers with active maintenance and support – you can access our latest releases R1 & R2 2020 here. If you have any questions, you can reach the Telerik support team via the support ticketing system

    All customers with expired maintenance and support – we've activated a complimentary access to our R1 2020 release in your accounts. You can access it here. If you have any additional questions, please open a General Feedback ticket.  

    Best regards, 

    The Telerik team at Progress 

     

    Regards,
    Rumen
    Progress Telerik

    Progress is here for your business, like always. Read more about the measures we are taking to ensure business continuity and help fight the COVID-19 pandemic.
    Our thoughts here at Progress are with those affected by the outbreak.
  3. Fit2Page
    Fit2Page avatar
    468 posts
    Member since:
    Feb 2007

    Posted 21 Aug 2020 in reply to Rumen Link to this post

    Hi Rumen,

     

    We had a lot of trouble with this leak lately. You talk about an email that was send out to the community, can you say when that was done? Went through my INBOX but can't find that one.

     

    Marc

     

  4. Rumen
    Admin
    Rumen avatar
    14459 posts

    Posted 21 Aug 2020 Link to this post

    Hi Marc,

    I am really sorry for the trouble and inconvenience due to the vulnerability!

    The Security email was sent on June 25, 2020 from mailto:progresssoftware@businessmaking.progress.net with the following subject Security Update for Progress Telerik UI for ASP.NET AJAX.

    I double-checked the list with email addresses and can confirm that your email is part of the mailing list. 

    Best Regards,
    Rumen
    Progress Telerik

    Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.

Back to Top