Security Bulletin SC2024-001-619349 Is Needed for Your CM/Standalone Instances

A critical vulnerability has been announced, which allows for unauthenticated file reads on a CM or Standalone instance. It's recommended this patch is installed on all instances from version 8.0 initial release to 10.4 initial release.

The patch is available at the Sitecore support portal, and includes the following files:

  • Sitecore.Support.619349.config
  • Sitecore.Support.619349.dll

The convenient thing about these patches is that they're package with the right folder structure. Support recommends the config file goes into the zzz folder, etc. so all you have to do is extract into the web root.

Once done, your instance will of course restart, and I recommend checking the logs to ensure the new assembly is listed in the startup section.

The details of the fix are not disclosed, but are in the Sitecore.Support.Resources.Pipelines.ResolveScript namespace.

 

Don't Forget to Manage Your Sitecore Instance Following Best Methods

As always, I recommend you complete all security hardening steps for Sitecore, and any CMS really. One of those steps would be to protect the CM from being publicly accessible, so if you've been doing that already you're not vulnerable. Regardless, this patch should be installed in case your security restrictions are disabled by mistake, etc.