I'm in the same boat. Our security team is demanding that at least version 2020.1.114 be installed. Any updates on when this will be addressed?

Hi Cary,

Not sure what you are looking for. The issue raised earlier in this threat has been taken care of in DNN versions after that. If you feel you have discovered a new vulnerability, please email your findings to [email protected]

Our security department is concerned about https://www.telerik.com/s...zer-deserialization. I've applied every security update supplied for DNN, but they want us to be on at least Telerik R1 2020 (2020.1.114) or later. I just had a meeting this morning about it with our head of IT Security.

Which version of DNN are you using?

Telerik is a known issue, and the DNN Community is working to eliminate it completely.

At this point (and I'm sure that people will jump in here with a more complete story) I believe that you can't completely eliminate Telerik, but you can minimize it. I believe that the problem is getting a suitable File Manager in place, and I do believe that it is close.

In the meantime:
- Upgrage to the latest version of DNN.
- Make sure that you are using the CK Editor, and uninstall the Telerik HTML Editor Provider.
- I believe that there are a couple of other Telerik-related items that you can remove by editing web.config (Don't trust me entirely on that, or wait for some more advice.

And, keep checking in here for news as it develops.
First, make sure th

We are on 9.7.2, now.

AFAIK all known attack vectors for Telerik have been removed in 9.7.2.
(so the vulnerable parts of it  are not used by DNN or not accessible from the outside any more)
In the near future Telerik will be removed completely.

For what it's worth, DNN 9.8.0 includes the ability to remove Telerik completely. You will be able to do this if you don't have any modules that require it.

You can test things out now using the DNN 9.8.0 rc2 package. Read the release notes for details.

The Telerik.Web.UI is vulnerable to exploit attack. We have had several websites hacked where multiple malicious files were uploaded. This was even after we had installed the latest upgrades - DNN 9.8.0

Telerik acknowledges that the Telerik.Web.UI is vulnerable and the latest version Telerik R1 2020 (2020.1.114) must be installed to prevent a hack. Because Telerik no longer ships with DNN by default, the version that we have is 2013 and if we want to continue using Telerik then we would need to purchase the latest version.

We therefore removed the two Telerik dlls. However, the DNN File manager then falls over because it is still dependent on the Telerik components. But this is preferable to having the sites hacked every few days.

We have already removed the Telerik Radcontrols, but this is not where the vulnerability is.

The release notes for DNN 9.8.0 contain explicit instructions for removing the Telerik vulnerability.

Per the release notes, the Telerik libraries are not removed when you upgrade to reduce problems if you have components installed that require them. In that case you should upgrade or uninstall any modules that do still require Telerik. All of the modules that fall into the DNN Community module class (one known as core modules) have be updated so that Telerik libraries are not needed. Many (most?) other third party modules have similarly been modified. When in doubt check with the module vendor. There is also an available tool that you can use to check your installation for Telerik vulnerabilities. I think that it is referenced in the release notes, too.

Finally, the DNN "File Manager" (aka the Digital Assets Manager) has been replaced in DNN 9.8.0 with a Persona Bar extension. You can safely remove the old File Manager and use the PB extension after upgrading.

Check the DNN Community Blog, too, for more information.