Telerik.Web.UI.dll Cryptographic Weakness

Description
  • A third party organization has identified a cryptographic weakness in Telerik.Web.UI.dll that can be exploited to the disclosure of encryption keys (Telerik.Web.UI.DialogParametersEncryptionKey and/or the MachineKey).
Remediation
  • To ensure your application is not exposed to such a risk, there are the following mitigation paths:
    • Use a patch for versions between Q1 2013 (2013.1.220) and R2 2017 (2017.2.503).
    • Use a patch for some versions between Q1 2011 (2011.1.315) and Q3 2012 SP2(2012.3.1308).
    • If you are on active maintenance, upgrade to R2 2017 SP1 (2017.2.621) or later.
    • Prevent access to the Telerik Dialog Handler.
References