Blog posts by Phu Nguyen2023-10-25T04:10:08.0000000Z/blogs/phu-nguyen/Optimizely WorldVulnerability in EPiServer.Forms/blogs/phu-nguyen/dates/2023/10/vulnerability-in-episerver-forms/2023-10-25T04:10:08.0000000Z<p><strong>Introduction</strong><br />We recently fixed a potential security vulnerability for the Optimizely Forms addon, customers may face this issue with any Forms version, the problem will happen when using a CMS function without noticing its noted behaviors. It could lead to losing security protection for some of the end-users' data.</p>
<p><strong>Risk</strong><br />Overall, the risk of vulnerability is high, especially if your website uses content indexing services (like Find or other search engines).</p>
<p><strong>Mitigation </strong></p>
<p>The issue has been fixed in EPiServer.Forms <a href="https://nuget.optimizely.com/package/?id=EPiServer.Forms&v=5.7.0">v5.7.0</a> (<a href="/link/1933ba72787346df9003b7a4c7d1cff8.aspx?epsremainingpath=bug/AFORM-3620">AFORM-3620</a>)<span class="TrackChangeTextInsertion TrackedChange SCXW119116340 BCX0"><span class="TextRun SCXW119116340 BCX0"><span class="NormalTextRun SCXW119116340 BCX0"> for CMS 12 and <a href="https://nuget.optimizely.com/package/?id=EPiServer.Forms&v=4.31.0">v4.31.</a></span></span></span><span class="TrackChangeTextInsertion TrackedChange SCXW119116340 BCX0"><span class="TextRun SCXW119116340 BCX0"><span class="NormalTextRun SCXW119116340 BCX0"><a href="https://nuget.optimizely.com/package/?id=EPiServer.Forms&v=4.31.0">0</a> for </span></span></span><span class="TrackChangeTextInsertion TrackedChange SCXW119116340 BCX0"><span class="TextRun SCXW119116340 BCX0"><span class="NormalTextRun SCXW119116340 BCX0">CMS 11</span></span></span><span class="TrackChangeTextDeletionMarker TrackedChange SCXW119116340 BCX0"><span class="TextRun SCXW119116340 BCX0"><span class="NormalTextRun TrackChangeTextDeletion SCXW119116340 BCX0">. </span></span></span><span class="TrackChangeTextInsertion TrackedChange SCXW119116340 BCX0"><span class="TextRun SCXW119116340 BCX0"><span class="NormalTextRun SCXW119116340 BCX0">Please upgrade to those versions as soon as possible</span></span></span><span class="TrackChangeTextInsertion TrackedChange SCXW119116340 BCX0"><span class="TextRun SCXW119116340 BCX0"><span class="NormalTextRun SCXW119116340 BCX0">.</span></span></span></p>
<p><span style="text-decoration: underline;">For DXP service customers:</span></p>
<ul>
<li>Mitigation is in place for all DXP service customers.</li>
<li><em>Update (October 27)</em><span>: To clarify, we</span> have mitigated existing vulnerable vectors, but packages SHOULD be updated to mitigate the risk of reintroducing the vulnerability!</li>
</ul>
<p><strong>Affected versions <br /></strong><span class="TextRun SCXW229541896 BCX0"><span class="NormalTextRun SCXW229541896 BCX0">Any Forms version before 5.7.0 (CMS12) or Forms 4.31.0 (CMS11)</span><span class="NormalTextRun SCXW229541896 BCX0">.</span></span><span class="EOP SCXW229541896 BCX0"> </span></p>
<p><strong>Remediation</strong><br /><span class="NormalTextRun SCXW152076525 BCX0">If using the affected versions of </span><span class="NormalTextRun SpellingErrorV2Themed SCXW152076525 BCX0">EPiServer.Forms</span><span class="NormalTextRun SCXW152076525 BCX0"> listed above, please update to version 5.7.0 (CMS12) or Forms 4.31.0 (CMS11).</span></p>
<p>Please reach out to our support for further guidance by email to<span> </span><a href="mailto:support@optimizely.com">support@optimizely.com</a><span> </span>or submit a request at<span> </span><span><span class="ui-provider rw cvi ajm cvj cvk cvl cvm cvn cvo cvp cvq cvr cvs cvt cvu cvv cvw cvx cvy cvz cwa cwb cwc cwd cwe cwf cwg cwh cwi cwj cwk cwl cwm cwn cwo"><a href="https://support.optimizely.com/hc/en-us">https://support.optimizely.com/hc/en-us</a>.</span></span></p>
<h3>Questions</h3>
<p>If you have any questions, please contact our support team (with assistance from our <span>security engineering team)</span> at <a href="mailto:support@optimizely.com">support@optimizely.com</a><span>.</span></p>
<h3>Risk definitions</h3>
<p>Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.</p>
<p>Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.</p>
<p>High – high potential impact on Optimizely or customer environments/data. Vulnerability has high exploitability, for example: achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.</p>
<p>Critical – very significant potential impact on Optimizely or customer environments/data. Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code. Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments.</p>Forms 4.6 performance enhancement/blogs/phu-nguyen/dates/2017/8/forms-4-6-performance-enhancement/2017-08-03T06:12:02.0000000Z<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>After using DotTrace and<span> </span>Jmeter<span> </span>to analyze Forms performance issues, we found some problematic code segments, which created issues like slow response time or high CPU usage. Therefore, we internally changed the Forms API in order to reduce data processing time.</p>
<p>From version 4.6.0, Forms with DDS as the default data storage mechanism has much better performance compared to the previous versions, especially for forms with a large number of submissions. Below is a performance comparison of Forms 4.6.0 and 4.5.1. Our comparison uses<span> </span>Jmeter<span> </span>with more than 20,000 records (all tests are run on the developer's computer).</p>
<p><strong>Forms 4.6.0 takes about 30 seconds to finish the test.</strong></p>
<p><img src="/link/15b11db79eac416aa83db2da7c543f21.aspx" width="1079" alt="4.6" height="426" /></p>
<p><strong>Forms 4.5.1 takes more than 3 hours to finish that test.</strong></p>
<p><img src="/link/138cf9ba3628474d86e3decc107caf08.aspx" width="1093" alt="4.5.1" height="505" /></p>
<p>We ran another test, and the results<span> </span>looks<span> </span>quite promising when comparing MongoDB to DDS as the data storage mechanism.</p>
<p><img src="/link/f611e4fbe86844708e901c2587c08c40.aspx" width="1343" alt="DDS and MongoDB" height="344" /></p>
</body>
</html>