Skip to content

@spencern spencern released this Nov 2, 2018 · 2223 commits to master since this release

v1.16.2

We discovered vulnerabilities that affect shops built on Reaction Commerce that use third-party oAuth services or SMS services.

On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.

Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact security@reactioncommerce.com for patch files for your version.

Vulnerabilities

oAuth Service Configuration Publication Vulnerability
Severity High
Description oAuth Service Configuration secrets could be shared with unauthenticated users via the ServiceConfiguration publication.
Affected Installations Any shops using an oAuth provider such as Facebook, Google, Twitter, Instagram, or a custom oAuth provider
Affected Versions All versions greater or equal to v0.10.0
Remediation Install patch for your version of Reaction Commerce and invalidate all oAuth Service Provider secrets used by Reaction Commerce. After patching, generate new secrets for use.
SMS Configuration Publication Vulnerability
Severity High
Description SMS Configuration secrets could be shared with unauthenticated users
Affected Installations Any shops using an SMS provider such as Twilio, Instagram, or a custom SMS provider
Affected Versions Versions less than v1.14.0 and greater than or equal to v0.18.0
Any version greater than or equal to v1.14.0 where the SMS plugin has been installed separately
Remediation Install patch for your version of Reaction Commerce and invalidate all SMS Provider secrets used by Reaction Commerce. After patching, generate new secrets for use.
Dashboard Routes Bug
Severity Low
Description Unauthenticated users can visit dashboard routes with a direct URL.
Affected Installations All installations on an affected version
Versions Versions greater than or equal to v1.2.0
Remediation Install patch for your version of Reaction Commerce.

What you should do

1. Patch Reaction Commerce

We have prepared a patch release with a fix for every affected minor version since v1.10.0

v2.0.x

Pull latest from release branch release-2.0.0-rc.6

v1.17.x

Pull latest from release branch release-1.17.0

v1.16.x

Install version v1.16.1

v1.15.x

Install version v1.15.1

v1.14.x

Install version v1.14.2

v1.13.x

Install version v1.13.2

v1.12.x

Install version v1.12.2

v1.11.x

Install version v1.11.1

v1.10.x

Install version v1.10.1

Older than v1.10.x

Please contact security@reactioncommerce.com for patch files for your version.

2. Invalidate Existing Secrets

For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.

3. Generate New Secrets

To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.

If you have any questions about this advisory or about the patches, please contact us at: security@reactioncommerce.com.

Assets 2
You can’t perform that action at this time.