DNN Community Blog

The Community Blog is a personal opinion of community members and by no means the official standpoint of DNN Corp or DNN Platform. This is a place to express personal thoughts about DNNPlatform, the community and its ecosystem. Do you have useful information that you would like to share with the DNN Community in a featured article or blog? If so, please contact .

The use of the Community Blog is covered by our Community Blog Guidelines - please read before commenting or posting.


Critical Security Update - June 2017

Our security team was recently informed of a security vulnerability in a third-party component suite that is used within DNN Products. It is critical that you follow the instructions provided in this post to ensure that your site isn’t compromised.

This vulnerability affects all versions of Evoq and DNN Platform.

In order to protect your site, you will need to download and install the Security Patch. You will install this package just like any other module in your site. Please follow the instructions in our documentation center for how to install an extension.

Essential Resources:

Please do not wait to protect your site. It will only take a few minutes to install the patch. For Evoq customers, Customer Support Team is also available to address any questions that you may have.


Frequently Asked Questions

What versions of DNN products are affected by this issue?
All DNN products since DNN 5.2 are affected. However, this patch only applies to versions 7.1.2 and higher.

What if I’m on a version older than 7.1.2?
There are other security vulnerabilities in versions prior to 7.1.2. This patch alone will not protect your site. You must upgrade to a newer version for this patch to work properly. Evoq customers may contact support for more information.

How do I install this patch?
You will install this patch just like any other module or extension. Please follow the steps outlined in our documentation center for installing modules.

What will happen if I don’t install this patch?
This patch is necessary to ensure that your site is secure. Failure to install this patch may compromise the security of your site.

Is it possible that my site has already been compromised?
We recommend using DNN’s Security Analyzer to check if your site has been compromised. Evoq customers may contact customer support for more details.

How do I access the Security Analyzer tool?
In version 9, you can access the Security Analyzer from Settings > Security > Security Analyzer. Older versions should download and install the Security Analyzer tool.
https://github.com/DNNCommunity/SecurityAnalyzer/releases

Where is the Security Bulletin about this issue?
We will post a security bulletin within the next week. We want to ensure that DNN customers have time to patch their sites properly.

What if I have more questions?
Evoq customers may create a support ticket to ask additional questions. Other DNN users may send an email to [email protected]

Comments

T. Philip Perlman
Thanks, Will! I don't usually check the blog, but why isn't this in the security center. And why in this day and age doesn't DNN offer email alerts about security warnings. I check nearly every day, but I am sure that most devs don't.
T. Philip Perlman Thursday, June 22, 2017 12:38 PM (link)
Will Morgenweck
Hi Philip,
We won't posting a security bulletin for another week or so. We want to give people ample time install the patch. I hear you about the email alerts. We will improve this moving forward.

-Will
Will Morgenweck Thursday, June 22, 2017 2:41 PM (link)
Craig Mitchell
HI Will,
I noticed under the security Analyzer it's now showing

CheckDefaultPage : Check if default.aspx or default.aspx.cs files have been modified

I also installed the latest Security Analyzer from Github. Is this right?
Craig Mitchell Sunday, June 25, 2017 6:17 AM (link)
Daniel Mettler
Thanks for the heads up - this will allow all in the community to protect their customers before the details become public. Great work!
Daniel Mettler Monday, June 26, 2017 7:03 AM (link)
Jim Woodruff
Hi Will,

I was able to get the hotfix installed and working on three DNN 7.4.2. sites I manage, but a fourth one (based on the same 7.4.2 and theme / module packages) is throwing a "critical error" when attempting to access any HTML module. Last Friday I emailed your tech / security support staff, but haven't gotten a response. I've also tried posting on the community forums. Thanks for any help you guys can offer.
Jim Woodruff Wednesday, June 28, 2017 11:08 AM (link)
CERT Coordination Center
Would we be correct in assuming that this patch addresses CVE-2017-9248? Additionally, is it in any way related to CVE-2014-2217?

It would be helpful to add CVE numbers to the release notes.
CERT Coordination Center Tuesday, July 18, 2017 3:04 PM (link)

Comment Form

Only registered users may post comments.

NewsArchives


Aderson Oliveira (15)
Alec Whittington (11)
Alex Shirley (10)
Andrew Nurse (30)
Anthony Glenwright (5)
Antonio Chagoury (28)
Ash Prasad (30)
Ben Schmidt (1)
Benjamin Hermann (25)
Benoit Sarton (9)
Beth Firebaugh (12)
Bill Walker (36)
Bob Kruger (5)
Brian Dukes (2)
Brice Snow (1)
Bruce Chapman (20)
Bryan Andrews (1)
cathal connolly (55)
Charles Nurse (163)
Chris Hammond (209)
Chris Paterra (55)
Clinton Patterson (30)
Cuong Dang (21)
Daniel Bartholomew (2)
Daniel Mettler (149)
Dave Buckner (2)
David Poindexter (4)
David Rodriguez (3)
Doug Howell (11)
Erik van Ballegoij (30)
Ernst Peter Tamminga (74)
Geoff Barlow (10)
George Alatrash (2)
Gifford Watkins (3)
Gilles Le Pigocher (3)
Ian Robinson (7)
Israel Martinez (17)
Jan Blomquist (2)
Jan Jonas (3)
Jaspreet Bhatia (1)
Jenni Merrifield (6)
Joe Brinkman (274)
John Mitchell (1)
Jon Henning (14)
Jonathan Sheely (4)
Jordan Coopersmith (1)
Joseph Craig (2)
Kan Ma (1)
Keivan Beigi (3)
Ken Grierson (10)
Kevin Schreiner (6)
Leigh Pointer (31)
Lorraine Young (60)
Malik Khan (1)
Matthias Schlomann (15)
Mauricio Márquez (5)
Michael Doxsey (7)
Michael Tobisch (3)
Michael Washington (202)
Miguel Gatmaytan (3)
Mike Horton (19)
Mitchel Sellers (28)
Nathan Rover (3)
Navin V Nagiah (14)
Néstor Sánchez (31)
Nik Kalyani (14)
Peter Donker (53)
Philip Beadle (135)
Philipp Becker (4)
Richard Dumas (22)
Robert J Collins (5)
Roger Selwyn (8)
Ruben Lopez (1)
Ryan Martinez (1)
Salar Golestanian (4)
Sanjay Mehrotra (9)
Scott McCulloch (1)
Scott S (11)
Scott Wilkinson (3)
Scott Willhite (97)
Sebastian Leupold (80)
Shaun Walker (237)
Shawn Mehaffie (17)
Stefan Cullmann (12)
Stefan Kamphuis (12)
Steve Fabian (31)
Timo Breumelhof (24)
Tony Henrich (3)
Torsten Weggen (2)
Vicenç Masanas (27)
Vincent Nguyen (3)
Vitaly Kozadayev (6)
Will Morgenweck (39)
Will Strohl (164)
William Severance (5)

Copyright 2017 by DNN Corp Terms of Use Privacy
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out
What is Liquid Content?
Find Out