We are releasing Silverstripe CMS Recipe 4.11.1. The primary purpose of this release is to address 9 vulnerabilities in Silverstripe CMS. These vulnerabilities were all confidentially reported to us. We are not aware of any attempt to exploit them prior to the official disclosure today.
- 1 vulnerability has been judged to be “high impact”.
- 7 vulnerabilities are marked as “medium”.
- 1 vulnerability is marked as “low”.
The 9 security patches in this release were reviewed by an independent auditor to ensure they properly address the vulnerabilities.
What about this high impact vulnerability?
The high impact vulnerability is what is known as an “SQL injection”. SQL is a language used to interrogate a database. An attacker can exploit an SQL injection vulnerability by “injecting” an SQL statement into a parameter sent to a website to retrieve information they should not have access to.
This specific SQL injection vulnerability is partially mitigated by the fact that an attacker must have access to a CMS member account to exploit the vulnerability. This vulnerability can NOT be exploited at will.
What if I’m still on Silverstripe CMS 4.10?
CMS 4.10 is affected by the vulnerabilities in this release. We recommend you upgrade your dependencies to
silverstripe/framework 4.10.11 to stay protected.
Our policy is to patch high impact vulnerabilities in all supported Silverstripe CMS releases, including those in “limited support”. Because this vulnerability is high impact, we are also backporting the fix to Silverstripe CMS 4.10.
What if I’m on Silverstripe CMS 4.11?
We recommend you upgrade to 4.11.1 to stay protected.
What about the other vulnerabilities
The other 8 vulnerabilities are “Cross Site Scripting” vulnerabilities, colloquially known as “XSS” vulnerabilities.
Some aspects limit the impact of these 8 XSS vulnerabilities.
- If the legitimate user targeted by the attack has limited access, actions beyond this user’s permission won’t be executed.
- All 8 vulnerabilities require access to the CMS and/or tricking a legitimate CMS user to perform a specific action (e.g. clicking a link):
- 4 require access to the CMS
- 2 require tricking a CMS user into performing a specific action
- 2 require both CMS access and tricking a CMS user.
- 1 vulnerability can be completely mitigated if your production site is properly configured to not display PHP warnings in the browser.
Planning your upgrade
We recommend all Silverstripe CMS projects upgrade as soon as possible.
If you are not in a position to immediately apply all patches and need to prioritise your efforts, we recommend deploying the patch for the high impact SQL injection vulnerability first. This patch is available on both Silverstripe CMS 4.10 and 4.11. So if your site is still on Silverstripe CMS 4.10, you do not need to perform a minor upgrade to apply this patch. The risk of regression with this patch is extremely low.
The other vulnerabilities have medium or low impacts and require you to be on Silverstripe CMS 4.11. In this context, it can be reasonable to spend a bit more time doing a risk analysis and performing regression testing, especially if you have to perform a minor upgrade to get those patches.
Risk of regression when upgrading
8 of the 9 patches are targeted at behaviours that have no legitimate use cases whatsoever. The risk of regression for each of those is extremely limited.
The last vulnerability is specific to an unusual file type called GPS Exchange Format (GPX). This is a specialised file type that is rarely used on websites. There’s no way to allow users to upload GPX files without creating a potential risk. We’ve addressed this vulnerability by disallowing this file type in Silverstripe CMS. If you have a need for GPX files in your Silverstripe CMS project, you can explicitly allow them. We recommend performing a risk analysis prior to making this decision.
In the disclosure for each vulnerability, we have highlighted which area is affected by each bug fix. Review the disclosures to better target your regression testing efforts.
Additional bug fixes
The team that looks after Silverstripe CMS regularly publishes patches for individual modules. This allows Silverstripe CMS projects to enjoy a steady stream of bug fixes without having to wait for the next minor release.
If you haven’t upgraded your project dependencies since the Silverstripe CMS Recipe 4.11.0 release back in June 2022, you’ll be getting some non-security related bug fixes when you apply the security patches.
Those patch releases are designed to be very small and low risk. Many other projects will have applied those patches already. Your developers can review the full list of non-security bug fixes since the 4.11.0 release in the changelog. The changelog also includes instructions on how to only upgrade the specific modules that are affected by the vulnerabilities.
Why are there so many vulnerabilities all at once?
This release contains an unusually high number of security patches.
- 7 of the vulnerabilities were reported to us via Huntr.dev.
- 2 were identified internally by a member of the Silverstripe CMS team.
Huntr is an open source bug bounty platform. The Silverstripe CMS team has been engaging more and more with researchers on Huntr. In turn, researchers on Huntr have been incentivised to spend more time looking at Silverstripe CMS to try to find vulnerabilities.
This does mean that we've been receiving a steady stream of potential vulnerability reports over the last few months, which explains the large number of patched vulnerabilities in this release. We are grateful to be collaborating with Huntr and Huntr researchers. This will help harden Silverstripe CMS in the long run, even if it does lead to a greater number of disclosed vulnerabilities in the short term.
We encourage any one who thinks they may have identified a vulnerability in Silverstripe CMS to confidentially report the security issue back to our team.
What does the Silverstripe CMS team do to keep my site safe?
Silverstripe CMS, like all software, is occasionally affected by vulnerabilities. Silverstripe takes the security of Silverstripe CMS projects seriously. We aim to promptly address any vulnerabilities in a transparent and professional manner by proactively disclosing vulnerabilities and patching them.
If a vulnerability is not actively being exploited “in the wild'', we normally try to ship security patches along with our regular minor releases to minimise upgrade woes for SIlverstripe CMS projects. However, our next regular minor release, Silverstripe CMS 4.12, is scheduled just before the Christmas holiday. In the context, we judged that it was preferable to do an out-of-sync security release.
2 weeks prior to the disclosure of high impact vulnerability, we do a pre-announcement so people who have a demonstrated need to know can prepare to promptly update their. If you are in charge of managing a large Silverstripe CMS website or a substantial number of Silverstripe CMS websites, you can request to join our pre-announcement mailing list.
Keen to get your upgrade underway?
Talk to your Digital Agency or Developer about upgrading
Haven’t got a Developer or Agency? No problem! Browse the Silverstripe CMS Developer Network or the Silverstripe Professional Partner Directory and filter by location to find a Silverstripe CMS Developer near you.
Developers, check out our documentation
This release announcement does not cover the full detail of what is included in the release. Be sure to review the full changelog before planning your next site upgrade.