We’ve just published a couple of knowledge base articles about Sitefinity security. This blog post rounds them up and looks at the best practices and benefits of keeping your WCM up to date.
At Progress we take security seriously and are committed to identifying and resolving any potential vulnerabilities. Sitefinity is rigorously tested and certified to the highest industry standards. And while we’re at it, we’d like to encourage you to keep your Sitefinity projects up to date.
With every new release, Sitefinity offers multiple performance benefits and a higher level of security. Cross-functional teams work hard to develop new features, introduce enhancements and resolve vulnerabilities. New releases get the latest versions of third-party libraries and plug-ins too, which means you gain on multiple levels in terms of higher performance and tighter security.
All in all, the latest Sitefinity version is your safest bet. Then again, if you’re running an older version, make sure you have the latest patch. Don’t take any chances. Security is not a gamble—a fact of life none of us would want to learn the hard way.
The Sitefinity Knowledge Base is a great place to get useful tips and learn from the experience of fellow Sitefinity users. It’s also where Sitefinity Support posts important announcements advising our customers what action they should take to secure against vulnerabilities before they become exploits.
We’re going to look at exactly the kind of security advisories released in the last week or so. Ready to roll?
We start with the most recent Sitefinity Security Advisory, detailing a set of potential vulnerabilities that have been identified and resolved. It lists the available patches per version, which contain fixes for these vulnerabilities. It’s important to note that no action is required whatsoever for Sitefinity 13.0.
It’s the most recent official version and has the latest versions of libraries such as jQuery and AJAX, as well as all the highest-level security configurations. You’re welcome to read the article below and plan applying the latest patch for your version of Sitefinity—if you haven’t done so yet. Security patches are available for versions 7.0 through 12.2.
Security Advisory for Resolving Security vulnerabilities March/April 2020
Next up, Sitefinity Support has added a comprehensive article on the notorious Blue Mockingbird exploit. It’s a malware attack that can potentially compromise web application security. The exploit is targeting old Telerik UI vulnerabilities that have long been resolved.
Although the vulnerabilities were patched all the way back in 2017—and the original security measures have been built upon since—attackers can be targeting organizations who haven’t upgraded to the patched version of the exposed components.
Blue Mockingbird and What It Means for Sitefinity
The following article originally dates back to 2017, when the said exploit was identified and resolved. It just made sense for Sitefinity Support to update it as a reminder to customers who may not have taken action back then. It also covers some more recently resolved vulnerabilities.
Sitefinity 13.0 is secure and requires no action. Versions 10.2 to 12.2 need minimum intervention on your part and the article describes an automated process to update a relevant security setting in your project.
For versions 7.0 through 10.1, applying the latest available patch is highly recommended for those who haven’t yet got it.
Security Advisory Resolving Security Vulnerability CVE-2014-2217, CVE-2017-11317, CVE-2017-11357, CVE-2017-9248 in Sitefinity
Lastly, the evergreen How to Apply the Latest Available Sitefinity Patch article was also updated, being a convenient resource for everyone who wants to keep their CMS protected and up to date.
As in every software system, the upgrade process is a necessity that should not be taken lightly. The importance of keeping your project secure cannot be overstated. Before we wrap it up, here’s a quick rundown of the best practices to observe
if you want the maximum security.
Bottom line, make sure you timely upgrade to the latest official release or, as a minimum, apply the latest patch for your product version. Stay on top of what’s new, plan accordingly and set time aside to apply updates. This should become a routine. It's never the wrong time to do the right thing.
A Sitefinity Product Marketer, Anton has a mixed background of software and writing for the web. He has spent the last 10 years in software development, on the project management and product ownership side, all the while writing about technology, gadgets and their use and usability. He is always trying to get to the bottom of things without missing the bigger picture.
Let our experts teach you how to use Sitefinity's best-in-class features to deliver compelling digital experiences.Learn More
Subscribe to get all the news, info and tutorials you need to build better business apps and sites
You can also ask us not to share your Personal Information to third parties here: Do Not Sell or Share My Info
We see that you have already chosen to receive marketing materials from us. If you wish to change this at any time you may do so by clicking here.
Thank you for your continued interest in Progress. Based on either your previous activity on our websites or our ongoing relationship, we will keep you updated on our products, solutions, services, company news and events. If you decide that you want to be removed from our mailing lists at any time, you can change your contact preferences by clicking here.