Hello,
We have a installation of DNN Platform (Version: 07.03.03 (118)) and our security auditor found a remote code execution (RCE) vulnerability that allows an unauthenticated attacker to execute arbitrary commands (with server privileges). This is due to an outdated Telerik Version (Telerik Web UI 2013.2.717.40). The issue got CVE-2017-9248 and details can be viewed here: https://nvd.nist.gov/vuln/detail/CVE-2017-9248
Is there a way to update/upgrade telerik without upgrading the DNN in order to avoid that vulnerability?
Posted By Alexandru Ionescu on 23 Jul 2020 09:11 AM Hello, We have a installation of DNN Platform (Version: 07.03.03 (118)) and our security auditor found a remote code execution (RCE) vulnerability that allows an unauthenticated attacker to execute arbitrary commands (with server privileges). This is due to an outdated Telerik Version (Telerik Web UI 2013.2.717.40). The issue got CVE-2017-9248 and details can be viewed here: https://nvd.nist.gov/vuln/detail/CVE-2017-9248 Is there a way to update/upgrade telerik without upgrading the DNN in order to avoid that vulnerability?
You should really upgrade to DNN 9. This security vulnerability is not the only issue found since DNN 7 came out. And yes you can install newer Telerik DLLs but you will still have the other issues found in DNN 7 to worry about.
Two additional notes.
1.) Per the security policy please do not post details of security issues here in the forum. But direct questions to [email protected]
2.) Upgrading Telerik is actually not easily possible without hundreds of code changes, including a fork to the DNN project due to breaking changes. You will additionally need your own license
These Forums are dedicated to the discussion of DNN Platform.
For the benefit of the community and to protect the integrity of the ecosystem, please observe the following posting guidelines:
Awesome! Simply post in the forums using the link below and we'll get you started.