Overview

To resolve the following Telerik Component vulnerabilities: CVE-2017-11317, CVE-2017-11357, CVE-2014-2217, you will need to apply a patch that has been developed by DNN from their Critical Security Update - September2017 blog post. Customers may also want to keep utilizing their Telerik module in DNN 9 without being forced to upgrade the whole instance. 

Prerequisites

• DNN/Evoq versions 5.2.0 up to 9.1.0

Solution

NOTE: Evoq has moved away from Telerik in version 9.1 and is no longer supported, you should be transitioning off of utilizing Telerik in this version.

The security patches are available for Telerik that don't force a DNN upgrade are located in this security blog post. 

• DOWNLOAD Security Hot Fix for .Net 4.0 and above
• DOWNLOAD Security Hot Fix for .Net 3.5

The .Net 4.0 version of the fix can be applied on DNN / Evoq versions 7.1.2 and above. You may install them on older versions of DNN / Evoq as well, but you may run into compatibility issues. We always recommend you to update DNN to the newer versions to remain protected from other known security issues. Please visit our Security Center to find out other known version-specific vulnerabilities.

The .Net 3.5 version can be applied on pre 7.0.0. However, you may have compatibility issues. It's best to upgrade DNN / Evoq to a newer version - at least 7.1.2 or above.

You can upgrade to the latest versions of the Products - DNN Platform 9.1.1, EVOQ 9.1.1 or to the latest version to fix this issue permanently.

If you would like to continue using Telerik modules past DNN 9.2, you must follow the below steps

1. Download the attached DotNetNuke.Web.Deprecated.dll file. 
   
2. Copy the file into the <WebsiteRootDirectory>/bin directory of your server.
3. Validate that Telerik is now running by checking the dependent modules and extensions. If successful, they should all be working as intended.