BLOG • DIGITAL INSIGHTS
Following the disclosure of CVE-2017-9248 in Telerik.Web.UI.dll, Eveliko patched all clients on active support on the same day - coordinating with government and financial institutions across different Sitefinity versions and security environments.
As some of you may know, a security vulnerability was discovered in Telerik.Web.UI.dll - an assembly that ships with Sitefinity.
More information about CVE-2017-9248
All projects on active support were patched on the same day the vulnerability was disclosed. Clients who manage their own infrastructure received step-by-step instructions by email and were supported over calls and chats - whatever was available in their environment. We stayed flexible.
The last large client to be patched was a government entity running multiple websites on different Sitefinity versions, which required a little more time to apply correctly. They were fully patched by Tuesday. Basic tests were performed across all sites.
We reacted on the same day. Financial and government institutions received emails with the steps they needed to perform immediately. We supported them through the process in whatever way we could, accounting for their specific security restrictions and internal procedures that make applying patches more involved than usual.
Several long-term clients already have UI test coverage for critical functionality built into their CI pipelines. This meant that once the patch was deployed to staging, we had confidence it was working - and when it went to production, passive UI tests confirmed everything was still functioning as expected, all within an hour of the code being pushed.
A follow-up email on this subject was sent by Progress after the fact. To be clear - the issue described is the same one and was already handled the previous week. There is no need to worry about it if you are an Eveliko support client.
Explore more insights and case studies from our team.