When I took over as the technology group leader, one of my primary goals was to remove our dependency on Telerik. Over the past few years, we have worked to improve security where we can, providing patches, disabling certain Telerik features, and making general recommendations on how to monitor websites. However, the true solution is to rid the DNN Platform of Telerik entirely, which as part of DNN Platform 9.8.0 and later can be optionally completed, we will make it a mandatory process in the 10.0.0 release. This is a HUGE milestone for everyone in the DNN Ecosystem, and the journey to get here has been a bit wild.
A Little Backstory
I feel that it is important to put a little backstory as to how the Telerik situation came about. Years ago in the early 5.x days, DNN Corporation and Telerik entered into an agreement where DNN would include a copy of Telerik, and any developer could use the controls as long as they utilized the wrappers that DNN created to expose Telerik. If you wanted to utilize the controls directly you still needed a valid license from Telerik.
This was assumed to be a great deal and initially resulted in some nice improvements in functionality to DNN, as the other alternatives at the time were somewhat limited. As time went on, something happened with that relationship, and during 2013 at one point Telerik stopped allowing the usage of new editions.
This has been the problem, DNN has been stuck on a 2013 version of Telerik, and Telerik itself had no desire to assist us. Further to this, after taking over as the Technology leader I reached out to Telerik and learned that the custom source code for the DNN version was actually lost and they truly couldn’t help.
A Herculean Effort
Issues have been logged in the DNN issue tracking systems since 2013 with individual steps to unravel and remove the Telerik dependencies. As time has progressed, certain suggestions have been provided by Telerik with their issued CVE’s, and the DNN project has implemented all of these, however, they are not enough to stop all of the pathways where risks exist.
However, it isn’t only internal DNN references that need to be considered, many third-party modules including many of the older “Core Modules,” had utilized these controls. As project leaders, we had to identify all of the usage points, document their removal, and communicate the risks to others. Then it was on to tackle all of the changes within the DNN Platform.
The last of these areas were within the Digital Asset Manager (DAM) module which provides the management experience for Site & Global assets. This is one of the more complex functions within the platform and issues in this area could have devastating impacts on the rest of the platform. We have been working for close to 2 years to identify, scope, and build a solution for a replacement to the Digital Assets Module as the final piece to the puzzle, which we are able to include in 9.8.0 as an optional component.
Securing Your Site with 9.8.0 & Later
With all of this said, the most important aspect to understand is that starting with 9.8.0 we are publishing optional steps that will allow the complete removal of Telerik from DNN. These steps are included with the release notes, and should ONLY be attempted after successful backups have been validated as if your installation has an unknown dependency on Telerik
I STRONGLY recommend that EVERYONE do this as soon as possible once the final version of 9.8.0 is released. By following these steps you will see a number of improvements.
- Reduced memory load within your website
- Improved performance, with reduced page payload
- Closing of multiple security holes
A Helpful Tool
In an effort to help those unsure if they have modules that depend on Telerik I have released a utility module the DNN Telerik Identifier, that inspects your DNN installation for possible references to Telerik. It is NOT a guaranteed analysis but will help find the most critical of dependencies on Telerik.
With this release, we can return to focusing effort on other strategic initiatives for the DNN Platform. When we release 10.x the optional steps included in this release will be done automatically for all users as a method to ensure that the platform stays as secure as possible going forward.
I wished we had gotten to this point much sooner, however, we are here and can be proud of what we have accomplished and look on to the future, schedules do not always go as planned with Open Source software.
Traditionally we would NOT discuss security items as publicly as we are with this one, however, the risks associated and the exploits have been public knowledge for more than 4 years. As such we are erring on the side of caution to reach as many people as possible.