Overview
You are using Evoq v9.1 and you have received an alert for an attempted exploit for CVE-2019-18935 - a known Telerik vulnerability. While this issue can be fixed by upgrading Evoq to the latest version, you would not like to update your version to avoid potential discontinued plugin and login issues.
Important:
As per the report CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI and National Vulnerability Database - CVE-2019-18935, the CVE-2019-18935 vulnerability can be exploited in the presence of the other vulnerabilities - CVE-2017-11317 or CVE-2017-11357.
Both CVE-2017-11317 and CVE-2017-11357 vulnerabilities can be fixed by applying the hotfix available in the article Securing Telerik Component due to security vulnerabilities.
Solution
As an alternative to the Evoq update, the most recommended solution is to completely remove Telerik from the site. Since there might be other components dependent on Telerik on your site (e.g. Digital Asset Management, Document Viewer), removing it without any preparation may cause issues and it is critical to follow the solution steps precisely.
Notes:
- DNN has moved away from Telerik since v9.1.0 as mentioned in the DNN Release Notes — 2017 Apr 26. Please also check the article Upcoming in v9.1 — Telerik Removal for additional details.
- It is highly recommended to create a full backup of the site and the database before making the suggested changes and to use a test environment to apply the solution before working on the production site.
Solution steps:
- Install the modified DNN Telerik Identifier module attached to this article, which has been adapted to work in v9.1.0. You can follow the guidelines in the article Installing an Extension to install the module.
- Add the Telerik Identifier module to a test page as explained in the Add a Module to a Page via the Persona Bar article and note down any components that are Telerik dependent shown by the module (this will be used in Step 3)
Note: this module is from a third-party vendor (IowaComputer Gurus), and it is recommended to contact the vendor in case of any issues while installing the module. Also, the module might not be able to identify all possible dependencies that could cause issues. That being said, it is a handy tool as it can detect major components that utilize Telerik. As such, it will make us easier to transition from Telerik to a non-Telerik site. Hence, we mention the tool even if it is from a third party. - Once you have identified the modules/components that are dependent on Telerik, you have three options as below:
- Remove the module/component entirely from the site.
- Upgrade the module to a non-Telerik-dependent version.
- Replace the module with an alternative that is Telerik-free. You can find the alternatives in DNN Store.
Note: to remove/upgrade/replace the module, please get in touch with the module vendor since there are no core components of DNN Evoq v9.6.21 that use Telerik. Hence, all the components that are still dependent on Telerik in the latest version are considered a third-party module and are outside the scope of DNN Support.
- Once the site is free from the Telerik-dependent components/modules, remove the Telerik from the site by completing the following actions in any order:
- Go to <Site_Root>\bin directory and delete the Telerik components viz.
Telerik.Web.UI.dll
andTelerik.Web.UI.Skins.dll
. - Remove the references to the Telerik (if any) from the web.config file in the <Site_Root>\bin directory.
- To remove the references, search for "Telerik" in the file and then remove any assembly bindings and <key, value> pairs from the file.
- Take a complete backup of the database and run the below queries by going to Persona Bar > Settings > SQL Console.
DELETE FROM Packages WHERE Name LIKE '%Telerik%' AND Name NOT LIKE '%TelerikIdentifier%'
DELETE FROM assemblies WHERE AssemblyName LIKE '%Telerik%' AND AssemblyName NOT LIKE '%TelerikIdentifier%'
- Go to <Site_Root>\bin directory and delete the Telerik components viz.
Comments
0 comments
Please sign in to leave a comment.