Sitecore XP RCE Flaw Patched Last Month Now Actively Exploited

The Australian Cyber Security Center (ACSC) is alerting web admins of the active exploitation of CVE-2021-42237, a remote code execution flaw in the Sitecore Experience Platform (Sitecore XP).

Sitecore XP is an enterprise-level content management system with data analytics (CMS) used by well-known companies, including American Express, IKEA, Carnival Cruise Lines, L’Oréal, and Volvo.

On October 13th, Sitecore disclosed and released a patch for a pre-authentication remote code execution vulnerability tracked as CVE-2021-42237 affecting the Sitecore Experience Platform.

Also Read: AI Auditing Framework: Draft Guidance for Organizations

Last week, cybersecurity firm Assetnote published a technical write-up on vulnerability allowing hackers to use the details to create exploits and actively exploit vulnerable websites.

“There is active exploitation of a vulnerability occurring in certain versions of Sitecore Experience Platform systems. Affected Australian organisation should apply the available security update,” warned the ACSC in a new advisory released Friday.

The vulnerable Sitecore XP component used in the attacks is Report.ashx, which provides a high-level view of analytics, engagement, and SEO success.

“This issue is related to a remote code execution vulnerability through insecure deserialization in the Report.ashx file. This file was used to drive the Executive Insight Dashboard (of Silverlight report) that was deprecated in 8.0 Initial Release,” explains Sitecore in their security advisory.

The vulnerability does not require authentication, and it allows any remote attacker to exploit a vulnerable server and gain complete control over it.

However, after Microsoft deprecated Silverlight, this Sitecore XP functionality was deprecated in version 8.0, causing only specific platform versions to be affected by the vulnerability.

The Sitecore XP versions affected by the RCE vulnerability are:

• Sitecore XP 7.5 Initial Release – Sitecore XP 7.5 Update-2
• Sitecore XP 8.0 Initial Release – Sitecore XP 8.0 Update-7
• Sitecore XP 8.1 Initial Release – Sitecore XP 8.1 Update-3
• Sitecore XP 8.2 Initial Release – Sitecore XP 8.2 Update-7

This vulnerability affects all versions of Sitecore XP, including all “single-instance and multi-instance environments, Managed Cloud environments, and all Sitecore server roles (Content Delivery, Content Editing, Reporting, Processing, etc.), which are exposed to the Internet.”

Also Read: How to Make Data Protection Addendum Template in Simple Way

The recommended solution is to upgrade to a secure version, ideally Sitecore XP 9.0 or higher.

Alternatively, you can mitigate the flaw by deleting the Report.ashx file from “/sitecore/shell/ClientBin/Reporting/Report.ashx“on all server instances.

For more details on mitigating the Sitecore XP CVE-2021-42237 vulnerability and how it affects your installed version, you can review Sitecore’s security bulletin.