I understand that i need to add the 3 app settings for the encryption key, but would like to check where do i add the decryption key?
after patch the dlls and adding the keys to web.config, is there any requirement to do a code change?
i am currently using version 2015.2.729.40
3 Answers, 1 is accepted
Hi Benjamin,
Thank you for your questions.
We just send an email to our community and we strongly advise you to upgrade to at least version R2 2020.
Here are the email contents:
We are writing to update you on the recent Blue Mockingbird malware attacks that have been talked about in the press and on social media, affecting many web applications, including Microsoft Information Services, SharePoint and Citrix, in addition to Telerik UI for ASP.NET AJAX. The vulnerability that Blue Mockingbird exploits is not new. It was identified and fixes were provided to our customers and partners in 2017 and 2019. In light of the recent attacks however, we are again updating you on where those fixes can be found and implemented.
The attack often uses the known vulnerabilities CVE-2017-11317 and CVE-2019-18935 to upload and execute the malicious software to software versions that have not been upgraded to the latest version of the Telerik UI for ASP.NET AJAX (also known as RadControls for ASP.NET AJAX).
To protect against this vulnerability, we recommend that you upgrade to R1 2020 (version 2020.1.114) or later. If you’re unsure if this impacts you, go to this page.
You can find more information in the following dedicated articles:
CVE-2019-18935 - Allows JavaScriptSerializer Deserialization
CVE-2017-11317 - Unrestricted File Upload
Also, if you need to upgrade to a more recent version, please follow the instructions in our documentation.
All customers with active maintenance and support – you can access our latest releases R1 & R2 2020 here. If you have any questions, you can reach the Telerik support team via the support ticketing system.
All customers with expired maintenance and support – we've activated a complimentary access to our R1 2020 release in your accounts. You can access it here. If you have any additional questions, please open a General Feedback ticket.
Best regards,
The Telerik team at Progress
Regards,
Rumen
Progress Telerik
Our thoughts here at Progress are with those affected by the outbreak.
Hi Rumen,
We had a lot of trouble with this leak lately. You talk about an email that was send out to the community, can you say when that was done? Went through my INBOX but can't find that one.
Marc
Hi Marc,
I am really sorry for the trouble and inconvenience due to the vulnerability!
The Security email was sent on June 25, 2020 from mailto:progresssoftware@businessmaking.progress.net with the following subject Security Update for Progress Telerik UI for ASP.NET AJAX.
I double-checked the list with email addresses and can confirm that your email is part of the mailing list.
Best
Regards,
Rumen
Progress Telerik
Virtual Classroom, the free self-paced technical training that gets you up to speed with Telerik and Kendo UI products quickly just got a fresh new look + new and improved content including a brand new Blazor course! Check it out at https://learn.telerik.com/.