Securing Telerik Component due to security vulnerabilities

Overview

The Telerik Component present in older versions of DNN has a series of known vulnerabilities. Some of these were covered by a 2017 security update blog article by DNNCorp, and others have been uncovered since.

The original patch covered CVE-2017-11317, CVE-2017-11357, CVE-2014-2217, and CVE-2017-9248. These can be fixed using the patch in our blog post and will be the focus of this article.

Other known Telerik vulnerabilities (such as CVE-2019-018935) may require patching Evoq to a newer version. There may also be an official fix from Telerik. The DNN Security Center will be your primary reference for DNN Evoq security vulnerabilities and how to fix them.

This article will cover applying the security fixes in the blog post, but be sure to check the DNN Security Center to see what other fixes may be needed.

 

Prerequisites

 

Solution

NOTE: Evoq has moved away from Telerik in version 9.1 and it is no longer supported. You should be transitioning off of utilizing Telerik in this version.

The security patches are available for Telerik that don't force a DNN upgrade are located in this security blog post

The .Net 4.0 version of the fix can be applied on DNN / Evoq versions 7.1.2 and above. You may install them on older versions of DNN / Evoq as well, but you may run into compatibility issues. We always recommend you to update DNN to the newer versions to remain protected from other known security issues. Please visit our Security Center to find out other known version-specific vulnerabilities.

The .Net 3.5 version can be applied on pre 7.0.0. However, you may have compatibility issues. It's best to upgrade DNN / Evoq to a newer version - at least 7.1.2 or above.

You can upgrade to the latest versions of the Products - DNN Platform 9.1.1, EVOQ 9.1.1 or to the latest version to fix this issue permanently.

If you would like to continue using Telerik modules past DNN 9.2, you must follow the below steps

  1. Download the attached DotNetNuke.Web.Deprecated.dll file. 
  2. Copy the file into the <WebsiteRootDirectory>/bin directory of your server.
  3. Validate that Telerik is now running by checking the dependent modules and extensions. If successful, they should all be working as intended. 

 

Attachments

Comments

0 comments

Please sign in to leave a comment.