2020-12 - Synergetic Security Hotfix - 11th December 2020

Issue

A security vulnerability relating to the Synergetic Community Portal was very recently identified. With the right technical knowledge and under certain conditions, it may be possible for someone who is logged in to the Portal to gain access to information which they would not usually have access to. A small number of Synergetic clients running v70.08 or below may have been affected and each client has been contacted and priority support provided with the patch.

Fix

A critical hotfix was created through an update to a core Community Portal binary file Synergetic.SynComPort.Web.dll. The file must be replaced with the fixed version, then the IIS website application pool recycled for the new dll to be applied. The file replacement and application pool restart will lead to a brief outage of the Community Portal service which is estimated to be a period of around one minute. Anyone already connected to the Community Portal during this time will have their session dropped and will be able to log in again once the website application pool restarts. This patch does not require any downtime for other Synergetic products. Due to the Community Portal primarily being utilised by parents after hours it is recommended for the patch to be applied during business hours.

Affected File Versions

In order to provide the patch as quickly as possible and to avoid a full system upgrade and related downtime, the affected binaries were re-built with the exact version number as before. This was required due to additional dependencies on the version of other embedded binary files used by the Community Portal. Therefore to determine if the patch has been applied it is important to verify the created date of the file is greater than 10/12/2020 or confirm with Synergetic support.

BuildFile Version
v70.01

70.1.1.17719

v70.02

70.2.1.19911

v70.03

70.3.1.21317

v70.04

70.4.1.23212

v70.05

70.5.1.25816

v70.06

70.6.1.26911

v70.07

70.7.1.31516

v70.08

70.7.2.31809

Outcome

Once complete, the reported security vulnerability will be removed.