Telerik removal is an important step in ensuring the security of a DNN website. Telerik contains a known vulnerability and there has been a spate of incidents recently where hackers have managed to force their way into DNN websites by exploiting the Telerik weakness.
DNN and Telerik made an agreement when DNN version 5 was the latest thing. DNN would come packaged with Telerik. Developers and admins would be able to use it to edit and create elements on their websites, including modules, provided they bought a licence from Telerik. By the time DNN 7 was launched in 2015, Telerik was free to use and bundled in with DNN. From that point on, many module developers built things like blog and events modules that contained intrinsic dependencies upon Telerik, i.e. they wouldn't work without it.
Fast forward a few years and a vulnerability in Telerik becomes known and DNN websites are exposed to risk as a result. DNN asks Telerik to upgrade the DNN editor it developed all those years ago but it turns out that it cannot do so, the original source files have been lost. DNN Corp makes the decision to sever ties with Telerik and to produce a version of DNN that no longer needs Telerik in order to function. Cue DNN 9.8!
So I just need to upgrade?
While the most recent versions of DNN are not dependent on Telerik, many existing modules still are. That means that if you take a website built in DNN 8 containing a blog, an events section, an image gallery and a slider, and you upgrade it to DNN 9.8, Telerik will still be present and, crucially, it will still be needed. Even though the upgrade will have made it possible to remove Telerik, the modules that it powers will all stop working when Telerik is taken away.
I need new modules then :-(
Afraid so. In order to take a website built in an earlier version of DNN - one that contains Telerik and vulnerability inherent within it - and turn it into a DNN website built in a much more recent version of DNN and with all traces of Telerik removed, some modules will need to be replaced. In theory, that can mean a quick export of data from the current module and import of the same data to its replacement. It is rarely that simple though. At the very least, some data mapping is required and, more often than not, more work is required to make it possible for the modules to work exactly as they did, and to interact with each other as they did when Telerik was present.
And the future?
When (and if) DNN 10 is released, it will not allow an association with Telerik. A brand new website built in that version will not contain Telerik and, if an older website is upgraded to DNN 10, all remnants of Telerik will be forcibly removed. At that point module developers will have to ensure their modules have no need for Telerik and developers and website owners looking to avoid it will find life a lot easier.
Is my website vulnerable until then?
If a DNN website contains Telerik, it is vulnerable to attack. Telerik lost the original source files for their DNN editor in 2013. In this fast-paced world, you cannot trust any technology that has not been upgraded for eight years to be secure. To ensure the security of your DNN website, it is vital to remove Telerik. The only way to do so is as follows...
Method - a summary
- Upgrade to DNN 9.8 (or above)
At this stage it will be possible to remove Telerik but that will not have happened automatically; Telerik will still be present.
- Identify which modules depend upon Telerik
- Identify suitable replacement modules
- Take data from existing modules and transfer to new ones
- Remove Telerik-dependent modules
- Remove all remnants of Telerik from the website.
Easier said than done
Of course, working through the above steps is not a simple task and the chances are that you have a full time role and responsibilities to fulfil. In fact it is unlikely that the job description you signed up for included phrases such as, "DNN Version Upgrades, Telerik Removal and Module Replacement."
If you need help ensuring that a DNN website is fully secure - with all remnants of Telerik removed - please contact us.