2020-03-17 Urgent Security Update for All Umbraco Sites

March 12, 2020

Umbraco will release a critical security patch on March 17th at 1 a.m. (Mountain time). All Umbraco sites will need to have this patch applied.

Updated 3/17/2020: The security patch was released this morning. The patch addresses a security vulnerability in a library (Client Dependency Framework) used by Umbraco CMS. This issue would potentially allow an unauthenticated user to fetch resources from your site (such as config files) that should not be made available. This is considered to be a high-severity security issue. 

How to Update 

To update manually, copy the new version (1.9.9) of the Client Dependency DLL into the bin folder of your website. 

You will also need to delete all files in ~/App_Data/ClientDependency or ~/App_Data/Temp/ClientDependency after the upgrade. 

To update with NuGet, run this command in your Package Manager Console in Visual Studio:

Update-Package ClientDependency -Version 1.9.9

You can also search for the ClientDependency package and update it to the latest version (1.9.9).

ProTip! If you are running lots of websites, here is a quick fix. As a temporary measure you can use the "replace" Windows command to replace all occurrences of a file on your server with a single command: 

replace "C:\Users\FyinDotCom\Downloads\ClientDependency.Core.dll" c:\inetpub\wwwroot /s

Additionally, FYIN has developed a tool that will allow you to audit a server for known Umbraco vulnerabilities. Visit UmbAudit to learn more. 

Umbraco HQ has released a security advisory that is relevant for all sites built on the Umbraco CMS. A security vulnerability has been identified that could cause the release of private information. This issue affects all Umbraco sites version 4.11.9 and up (including version 8). 

Umbraco is releasing a patch on Tuesday, March 17th at 1:00 a.m. MST.  Because of the severity of this security vulnerability, Umbraco is not releasing details ahead of time (in order to prevent nefarious characters from trying to exploit it further). However, we can confidently state that this patch is a critical one and should not be treated as optional.

If you have an Umbraco site, you’ll want to do the following:

  1. Confirm the Umbraco version of your site(s). In most versions, you can find your version number by clicking your account icon in the upper left corner after logging in.
  2. Contact your web host/IT provider and confirm that they can make this important update for you (ideally, on the 17th). If your site is hosted on Umbraco Cloud, the update will be made automatically. However, if the site is hosted in a data center or in your own facility, the update will need to be made manually.

If you are a FYIN partner, rest assured that we will take care of this update for you. You do not need to do anything.

If you are not a FYIN partner (or were a partner previously), we do not want to leave you out in the cold. Our team stands ready to help the Umbraco community! We estimate that this patch will take about 1 hour.

Please fill out the form below or contact us

Stay tuned to this blog post for further updates!

Umbraco Security Patch Help

Fill out the fields below
Name of your organization *
Contact name *
Phone number
Website *
Email address

We're here to help! Contact Us.