2021-01 - Synergetic Security Hotfix - 11th January 2021

Issue

A security vulnerability relating to Synergetic SynWeb was very recently identified. With the right technical knowledge and under certain conditions, it may be possible for someone to login to SynWeb with elevated permissions. The issue affects clients running v69 & v70 together with SAML authentication. The issue was been resolved in v70.09 and later.

Fix

A critical hotfix was created through an update to a core SynWeb binary file Synergetic.SynWeb.Web.dll. The hotfix was delivered automatically via the updater.

The hotfix can be applied manually afterwards if required:

  1. Log in to your Synergetic web server and download the hotfix updater 'SynWebFileUpdate.exe' file below. (There is no need to download individual hotfix file for the version - this is done automatically)
  2. Run the hotfix updater as an administrator and accept any prompts for requiring elevated access.
  3. Check the success of the hotfix, using the 'Verification' steps below.

Please note, the file replacement may trigger an application pool restart which will lead to a brief outage of the SynWeb service - this is estimated to be a period of around one minute. Anyone already connected to SynWeb during this time will have their session dropped but will be able to log in again once the website application pool restarts. This patch does not require any downtime for other Synergetic products.

Verification

Successful application of the hotfix can be verified by checking the file 'Synergetic.SynWeb.Web.dll' located in the 'bin' folder will have a modified date set to 12/01/2021.

Resources

These files are only required if manually applying the hotfix.

Hotfix updater

SynWebFileUpdate.exe


Hotfix file for each version