v1.13.2
We discovered vulnerabilities that affect shops built on Reaction Commerce that use third-party oAuth services or SMS services.
On Sunday, 2018-10-28, we received a security vulnerability report from a member of the Reaction Commerce community. This report outlined an attack vector for an unauthenticated user to access secrets related to oAuth service providers and SMS messaging providers and to access certain routes intended for operators only.
Today, we are releasing a fix for these vulnerabilities. We are releasing this patch version independently for all minor versions of Reaction Commerce released since v1.10 so that you can upgrade with minimal friction. If you are using a version of Reaction Commerce prior to v1.10.0 for which we have not released a patch version, please contact security@reactioncommerce.com for patch files for your version.
Vulnerabilities
| oAuth Service Configuration Publication Vulnerability | |
| Severity | High |
| Description | oAuth Service Configuration secrets could be shared with unauthenticated users via the ServiceConfiguration publication. |
| Affected Installations | Any shops using an oAuth provider such as Facebook, Google, Twitter, Instagram, or a custom oAuth provider |
| Affected Versions | All versions greater or equal to v0.10.0 |
| Remediation | Install patch for your version of Reaction Commerce and invalidate all oAuth Service Provider secrets used by Reaction Commerce. After patching, generate new secrets for use. |
| SMS Configuration Publication Vulnerability | |
| Severity | High |
| Description | SMS Configuration secrets could be shared with unauthenticated users |
| Affected Installations | Any shops using an SMS provider such as Twilio, Instagram, or a custom SMS provider |
| Affected Versions | Versions less than v1.14.0 and greater than or equal to v0.18.0 Any version greater than or equal to v1.14.0 where the SMS plugin has been installed separately |
| Remediation | Install patch for your version of Reaction Commerce and invalidate all SMS Provider secrets used by Reaction Commerce. After patching, generate new secrets for use. |
| Dashboard Routes Bug | |
| Severity | Low |
| Description | Unauthenticated users can visit dashboard routes with a direct URL. |
| Affected Installations | All installations on an affected version |
| Versions | Versions greater than or equal to v1.2.0 |
| Remediation | Install patch for your version of Reaction Commerce. |
What you should do
1. Patch Reaction Commerce
We have prepared a patch release with a fix for every affected minor version since v1.10.0
v2.0.x
Pull latest from release branch release-2.0.0-rc.6
v1.17.x
Pull latest from release branch release-1.17.0
v1.16.x
Install version v1.16.1
v1.15.x
Install version v1.15.1
v1.14.x
Install version v1.14.2
v1.13.x
Install version v1.13.2
v1.12.x
Install version v1.12.2
v1.11.x
Install version v1.11.1
v1.10.x
Install version v1.10.1
Older than v1.10.x
Please contact security@reactioncommerce.com for patch files for your version.
2. Invalidate Existing Secrets
For any SMS or oAuth provider used by an affected version of Reaction Commerce, you should invalidate any existing secrets immediately.
3. Generate New Secrets
To continue using SMS or oAuth providers through Reaction Commerce, generate and use new secrets to continue to provide login or notification services to your customers.