DNN / Telerik Security Patch Released - September 2017

 
On Thursday, September 14, 2017, DNN Corp identified another security vulnerability in the Telerik component suite in use in all DNN products since DNN 5.6.3. To keep customers safe, exact details of the vulnerability were not released but the IDs for the related NIST Common Vulnerabilities and Exposures were provided:
 
 
DNN has released a security patch in the form of a module which will correct the issue and it is recommended that the module be installed as soon as possible.
 
HOW MANAGED.COM PROTECTS YOU: Our team has implemented a way to apply the patch through our Control Suite product. If you are hosted by us in our shared-hosting environment, we will be implementing the patch for you. If you have a dedicated server with us that has Control Suite installed on it, you will also be protected by us administering the patch automatically. For those customers in a web-farm environment, the patch will need to be administered manually.
 
DNN released information about the patch including a brief FAQ which can be found at this post. In it they detail how to install the patch and their recommendation to use their Security Analyzer tool to verify if a site is protected from this and other known vulnerabilities.

Have a shared hosting website with us? You’re covered, depending on your version of DNN

As soon as the details of the vulnerability were made available, our team immediately assembled to come up with a solution that would best protect our customers. To avoid technical difficulties which may compromise the performance of your site or server, we are rolling out the fix server-by-server over the next 48 hours.
 
If you have a shared hosting website plan with us and your site is DNN 7.1.2 or later, your site will be protected by September 20, 2017. We have begun implementing the module as provided by DNN Corp at the server level on all of our shared hosting servers and your site will be safe from this vulnerability. You can verify if your site has the update installed by checking with the latest release of the DNN Security Analyzer.
 
If you have a shared hosting website plan with us and your site is DNN 5.6.3 through DNN 7.1.1, you will need to manually install the security patch as there may be compatibility issues with older sites. Full details can be found in the DNN Corp press release.
 
While implementing this fix protects from this specific Telerik vulnerability, sites older than DNN 8.x are susceptible to several other vulnerabilities and it is still recommended that your site be updated to DNN 8.x or DNN 9.x. You may attempt to update the site yourself or initiate a Support ticket with our team to upgrade your site for you using our Standard Upgrade service or Staged Upgrade service.
 

Have a dedicated server or VPS plan with us? If you have Control Suite, our fix will be applied depending on DNN version.

As soon as the details of the vulnerability were made available, our team immediately assembled to come up with a solution that would best protect our customers. To avoid technical difficulties which may compromise the performance of your site or server, we are rolling out the fix server-by-server over the next 48 hours.
 
If you have a site on a dedicated server/VPS with us that has Control Suite, your sites which are DNN 7.1.2 or later will be protected by September 20, 2017. We have begun implementing the module as provided by DNN Corp at the server level on all of our Dedicated and VPS servers running Control Suite and your sites will be safe from this vulnerability. You can verify if your site has the update installed by checking with the latest release of the DNN Security Analyzer.
 
If you have a site on a dedicated server/VPS with us that has Control Suite and your site is DNN 5.6.3 through DNN 7.1.1, you will need to manually install the security patch as there may be compatibility issues with older sites. Full details can be found in the DNN Corp press release.
 
While implementing this fix protects from this specific Telerik vulnerability, sites older than DNN 8.x are susceptible to several other vulnerabilities and it is still recommended that your site be updated to DNN 8.x or DNN 9.x. You may attempt to update the site yourself or initiate a Support ticket with our team to upgrade your site for you using our Standard Upgrade service or Staged Upgrade service.
 

Have a dedicated server or VPS plan with us that does not have Control Suite (such as a webfarm)?.

The module provided by DNN Corp for the fix can be applied by a SuperUser as with any other module installation. Managed.com is happy to assist with this but for us to help, you will need to provide appropriate credentials for your site and we ask that you request this through our normal ticket process. The appropriate security patch can be found through this link along with additional information about the vulnerability. If you need assistance from the Support team, please reach out and we will be happy to provide advice and answer questions along the way.

Any questions? We’re here for you

If you have any further questions about the DNN or this critical security update, feel free to open a ticket or contact us through the normal means.
 
We will work with you to help protect you, your server, and your customers.
 
 

Works Cited / For Further Reading:
DNN / DotNetNuke / Evoq — Secure and Latest Versions. (Managed.com)
DNN Critical Security Update. (DNN Software)