Sitecore recently released a Support Security Bulletin SC2023-002-576660 that addresses a vulnerability in the platform. You can find the details of this bulletin in their knowledge base article KB1002979. Some of my team already had questions regarding the recommended approaches for addressing this vulnerability, specifically the differences between applying a hotfix and a patch. In this post, I'll clarify these approaches and discuss how to apply the hotfix to various Sitecore roles.
Two Approaches: Hotfix vs. Patch
The bulletin outlines two approaches to resolve the vulnerability:
- Applying as a hotfix
- Applying as a patch
The main difference between these two options is that the patch only fixes the known attack vector (a specific method or pathway that cybercriminals have been observed using to exploit vulnerabilities in software or systems). At the same time, the hotfix addresses the vulnerability more comprehensively - covering scenarios beyond the known attack vector. Due to this critical difference, Sitecore strongly recommends applying hotfixes rather than installing the patch.
Applying the Hotfix to Different Sitecore Roles
The hotfix comes packaged as a `.update` package and can be easily installed using the Sitecore Update Installation Wizard. This process is straightforward for a Content Management (CM) role. However, applying the hotfix to other functions requires additional steps.
For non-CM roles, installing the hotfix on the CM instance is generally recommended, then syncing the changes made with some other cases using your typical development practices. The idea is to ensure the updated files and configurations installed on the CM instance are copied to Content Delivery (CD) or other Sitecore roles to maintain a consistent codebase and configuration.
To manually extract the contents of the .update package, you can use a tool like 7zip without renaming the file. Right-click the file and choose one of the "Extract" options. You can then extract the package.zip to obtain the files from addedfiles, addedfolders, addeditems, and changedfiles folders.
Alternatively, to 7zip, you can rename the .update file to .update.zip and extract it using Window's built-in zip manager. Once you've extracted the files, you can plan to drop them into the rest of your non-CM XP roles.
It's worth mentioning that your particular solution may already have a previous cumulative hotfix applied. You may need to check your solution to see if any of the extracted files (such as the Sitecore.Kernel.dll) are already referenced to a static hotfix location and make the necessary updates to the solution to reference.
Compare the DLLs and configs against your solution and merge updates wherever necessary. Skipping this step risks overwriting the installation during a subsequent deployment.
What's in the latest Hotfix?
Looking at 10.0.0 installation, there are 42 file differences between the current solution and the hotfix files:
- \sitecore modules\Web\ExperienceForms\scripts\form.conditions.js
- \sitecore\shell\client\Applications\FormsBuilder\Layouts\Renderings\FormDesignBoard\FormDesignBoard.js
- \sitecore\shell\client\Applications\FormsBuilder\Layouts\Renderings\Composites\SubmitActionsManager\SubmitActionsManager.js
- \sitecore\shell\Applications\Page Modes\ChromeTypes\FieldChromeType.js
- \sitecore\shell\Applications\Page Modes\InlineEditingUtil.js
- \sitecore\shell\Applications\Content Manager\Content Editor.Search.js
- \sitecore\shell\Applications\Buckets\scripts\ItemBucket.js
- \bin\Sitecore.Services.Infrastructure.Sitecore.dll
- \bin\Sitecore.Services.Infrastructure.dll
- \bin\Sitecore.Services.Core.dll
- \bin\Sitecore.Services.Client.dll
- \bin\Sitecore.Mvc.ExperienceEditor.dll
- \bin\Sitecore.Mvc.dll
- \bin\Sitecore.Mvc.DeviceSimulator.dll
- \bin\Sitecore.Kernel.dll
- \bin\Sitecore.ExperienceForms.SubmitActions.dll
- \bin\Sitecore.ExperienceForms.Mvc.dll
- \bin\Sitecore.ExperienceForms.dll
- \bin\Sitecore.ExperienceForms.Data.SqlServer.dll
- \bin\Sitecore.ExperienceForms.Client.dll
- \bin\Sitecore.ExperienceForms.Analytics.dll
- \bin\Sitecore.ExperienceExplorer.Web.dll
- \bin\Sitecore.ExperienceExplorer.dll
- \bin\Sitecore.ExperienceExplorer.Core.dll
- \bin\Sitecore.ExperienceExplorer.Analytics.dll
- \bin\Sitecore.ExperienceEditor.Speak.Ribbon.dll
- \bin\Sitecore.ExperienceEditor.Speak.dll
- \bin\Sitecore.ExperienceEditor.dll
- \bin\Sitecore.ContentSearch.SolrProvider.dll
- \bin\Sitecore.ContentSearch.SolrNetExtension.dll
- \bin\Sitecore.ContentSearch.Linq.Solr.dll
- \bin\Sitecore.ContentSearch.Linq.dll
- \bin\Sitecore.ContentSearch.dll
- \bin\Sitecore.ContentSearch.Data.dll
- \bin\Sitecore.ContentSearch.ContentExtraction.dll
- \bin\Sitecore.ContentSearch.Client.dll
- \bin\Sitecore.Content.Services.dll
- \bin\Sitecore.Client.dll
- \bin\Sitecore.Buckets.dll
- \bin\Sitecore.Buckets.Client.dll
- \App_Config\Sitecore\Services.Client\Sitecore.Services.Client.config
- \App_Config\Sitecore.config
Conclusion
When addressing the vulnerability outlined in Sitecore Support Security Bulletin SC2023-002-576660 - or others where .update files are provided as part of the solution, applying the hotfix rather than the patch is strongly recommended. The hotfix should be installed on the CM instance and synced with other cases using your regular development practices. This ensures a consistent codebase and configuration across all Sitecore roles.
Hopefully, this helps clarify the recommended approaches for addressing this and future vulnerabilities in Sitecore.