Description
This article describes a vulnerability issue with Newtonsoft.Json and what Optimizely is doing about it.
Content & Commerce cloud (including Search & Navigation (Find) client) use the Newtonsoft.Json library which is the #1 library used in .NET applications. A vulnerability that can theoretically be exploited for e.g. for DOS attacks has been found in earlier versions of Newtonsoft.Json.
The current versions of our software already require versions of Newtonsoft.Json which have been patched. However since this is PaaS we have (potentially many) customers with vulnerable applications since they are running older versions.
Some of those older versions also don’t officially support the patched versions of Newtonsoft.Json.
Steps
Solution so far is to upgrade Newtonsoft.Json till 13.0.1 or later. For more details please see below.
- CMS version 11.20.11 or higher, Commerce version 13.32.1 or higher, Find version 13.4.8 or higher: if the version of Newtonsoft.Json package in their solution is prior to version 13.0.1, just update that package to version 13.0.1 (or higher, but < 14.0.0).
- CMS 11 packages (e.g. EPiServer.Framework) prior to version 11.20.11, Commerce 13 packages (e.g. EPiServer.Commerce) prior to version 13.32.1, Find 12 & 13 packages (EPiServer.Find) prior to 13.4.8: force update the Newtonsoft.Json to version 13.0.1.
- Open the solution in Visual Studio
- Update version of Newtonsoft.Json in the packages.config file to 13.0.1
- Run “Install-Package Newtonsoft.Json -IgnoreDependencies” command in the package manager console in Visual Studio
- Rebuild the solution
Optimizely QA and Product Engineering continue to test older versions of Find 13, Commerce 13 and CMS 11. Any updates or additional steps will be provided in the article moving forward.
Additional comments.