How to validate Sitefinity cryptographic weakness fix?

2 posts, 0 answers
  1. Suresh
    Suresh avatar
    1 posts
    Member since:
    May 2014

    Posted 20 Jul Link to this post

     

    We are trying to contact Sitefinity to check status about the latest security vulnerability in Sitefinity due to cryptographic weakness [CVE-2017-9248].  As our version is older, we have to verify the steps we have taken is valid and is that enough for the security issue.

    Our Sitefinity version is 3.7.2136

    and what we did is, we prevented the access to Dialog Handler as suggested in http://www.telerik.com/support/kb/aspnet-ajax/details/cryptographic-weakness#prevent-access
     by removing the handler in the web.config file and also changed Machine keys.

    Can you please let us know if that will be enough for now? Is there a way to measure this and make sure that security is improved?

  2. Boyan Barnev
    Admin
    Boyan Barnev avatar
    4 posts

    Posted 21 Jul Link to this post

    Hello Suresh,

    Yes, I can confirm that for version 3.7 the steps you have taken are the correct ones to address the CVE-2017-9248 cryptographic weakness. The KB article you have referenced also contains information on how to verify whether the dialog handler has been properly disabled, so you can follow this set of instructions to confirm the successful operation.

    At this point this is all the official information we have disclosed and can discuss in public. If you prefer to continue the discussion, or have further follow-up questions, which might necessitate private communication, we would be glad to assist you via our phone or support ticket channels, which you can find listed on the Sitefintiy Support center page.

    Regards,
    Boyan Barnev
    Progress Telerik
    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Feedback Portal and vote to affect the priority of the items
Back to Top