A new security patch release has been made available for sites on CWP 2.x to address issues identified with restricting access to some files saved in the CMS. It is recommended that all Stack Managers with sites on CWP 2.x review the impact of the identified issues with their digital agency or internal development teams and make a plan to upgrade their sites.
As part of resolving the security issue, the release also includes optional file migration tasks that a development team can run to ensure that potentially vulnerable files are put into the correct protected state.
New patch releases are available now in the following CWP versions:
What should my agency do?
Firstly, make sure you read this update to gain a high-level understanding of the security vulnerability being rectified and find out if your site may be affected.
Then, you need to refer to the release change log announcement for a detailed explanation of how to find out if files in your CMS are exposed and how the migration tasks we’ve outlined can help resolve most scenarios. It is recommended that you discuss this release announcement with your digital agency or internal development team and make a plan to upgrade your site.
This patch release is being made available now—outside of the regular quarterly release cycle—to remedy sites that are most affected quickly. This release has not undergone an external code review where the quarterly release normally would. All sites are recommended to upgrade now, however if you deem your site to be unaffected, you can delay the upgrade until these changes are included in the next quarterly release in June.
What does this release fix?
This release contains fixes that are essential to addressing the CVE-2020-9280 security issue and follow up work from the CVE-2019-12245 security issue that was made available to CWP sites in January.
- Read the CVE-2020-9280 security disclosure(external link)
- Read the CVE-2019-12245 security disclosure(external link)
With these security issues left unfixed, it is possible that the access permissions set for your files in the CMS are not as you expect, which may result in these files being accessible to the public if the file URL is known, e.g.: 'https://mysite.govt.nz/assets/submission-folder/my-document.pdf'. This release stops these issues from occurring and provides file migration tasks to rectify files that may currently be vulnerable.
How can I find out if my site is affected?
Broadly speaking, your site could have files unintentionally exposed to the public if these files were added to your CMS through any method other than uploading files directly through the CMS ‘Files’ area. Common ways to do this are:
- Through the ‘User defined forms’ feature(external link) where the form includes a file upload field; or
- A custom-built form on the front-end of a website that allows users to upload files.
If your site is currently in this situation or had plans to do this, please read the full release change log announcement to understand the situation further and see if your site is affected.
What if my site is not on at least CWP 2.3?
It is highly recommended that you arrange to upgrade to at least CWP 2.3.3 as soon as possible. It is important that you keep your website up to date and on a supported version to avoid exposing your site to undue risk.
Does this security issue affect sites on CWP 1.x (CMS 3.x)?
No, this issue is not known to affect sites that are on CWP 1.x (CMS 3.x). It is, however, still recommended that you use this prompt to review any files in the CMS that you expect should be protected from the public. CMS 3.x instructions for this can be found in the Silverstripe CMS User Help guide.(external link)
Release change log announcement
The release change log announcement provides the full detail of what is included in the release and whether the additional file migration tasks are recommended for your site.
Read the release change log announcement for CMS Recipe 4.5.2(external link) (included in CWP 2.5.2)
You will find similar release notes for CMS Recipe 4.4.6 (included in CWP 2.3.3 and CWP 2.4.1)
If you have further questions
Talk to your digital agency or Developer with reference to the change log announcement.
This patch upgrade and related migration tasks can be carried out by any development team familiar with Silverstripe CMS. If you would like additional assistance, you can request support via the Service Desk.