From 1ccdaea398a2d96c3204256610f94f9ee795555b Mon Sep 17 00:00:00 2001 From: Platon Pechlivanis Date: Tue, 20 Jun 2023 11:36:56 +0300 Subject: [PATCH 1/6] Adding the security release notes for Q2 --- .../security-release-notes-202306.0.md | 377 ++++++++++++++++++ 1 file changed, 377 insertions(+) create mode 100644 docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md diff --git a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md new file mode 100644 index 00000000000..e9bcba299fd --- /dev/null +++ b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md @@ -0,0 +1,377 @@ +--- +title: Security release notes 202306.0 +description: Security release notes for the Spryker Product release 202306.0 +last_updated: 20/06/2023 +template: concept-topic-template +--- + +The following information pertains to security-related issues that have been recently resolved. All issues are listed by description and affected modules. + +If you need any additional support with this content, [contact our support](mailto:support@spryker.com). If you found a new security vulnerability, inform us through [security@spryker.com](mailto:security@spryker.com). + + +## Stored XSS in Product Pages + +Administrators can place a malicious payload into the description section of new and existing product pages in the Back Office application. This payload is then executed to all users of the shop that visit the affected product pages, resulting in an Cross-Site Scripting (XSS) vulnerability. + +## Affected modules + +spryker/product-management: 0.19.3 - 0.19.35 + + +## Introduced changes + +Sanitisation controls have been implemented to prevent input of malicious payloads within product forms. + +## How to get the fix + +To implement a fix for this vulnerability, the ProductManagement module should be updated to version 0.19.36. + +If your version of `spryker/product-management` is earlier than 0.19.35, follow the below instructions: + +1. Upgrade the `spryker/store` module to version 1.19.0 and `spryker/zed-request-extension` to version 1.1.0 + +```bash +composer require spryker/store:"~1.19.0" spryker/zed-request-extension:"~1.1.0" +composer show spryker/store # Verify the version +composer show spryker/zed-request-extension # Verify the version +``` + +2. Upgrade the `spryker/product-management` module to version 0.19.36 + +```bash +composer require spryker/product-management:"~0.19.36" spryker/gui:"~3.48.0" spryker/util-sanitize-xss:"~1.1.0" +composer show spryker/product-management # Verify the version +``` + + +## Cross-company Role Manipulation + +Due to missing access validation controls on the back-end, an administrator user of a company was able to create and update roles for other companies. This attack was possible by manipulating the company ID parameter included in the HTTP requests of the role creation functionality. + +## Affected modules + +spryker-shop/company-page: 1.0.0 - 2.21.0 + + +## Introduced changes + +Access validation controls have been implemented to prevent administrators from being able to create and edit roles for other companies. + +## How to get the fix + +The update requires PHP 8 to be installed. If you are using PHP 7, please see [PHP 8.0 as the minimum version for all Spryker projects](https://docs.spryker.com/docs/scos/user/intro-to-spryker/whats-new/php8-as-a-minimum-version-for-all-spryker-projects.html). + +To implement a fix for this vulnerability, upgrade the CompanyPage module to version 2.22.0: + +```bash +composer require spryker-shop/company-page:"~2.22.0" +composer show spryker-shop/company-page # Verify the version +``` + + +## Unvalidated URL Redirection + +Attackers were able to bypass the redirect URL validation for URLs provided through the GET request parameter and control the website that the user is redirected to. This type of vulnerability can be used in conjunction with social engineering in order to coerce a victim into navigating to a malicious resource or location. + +## Affected modules + +spryker/kernel: 1.0.0-3.72.0 + + +## Introduced changes + +Additional validation controls have been implemented to prevent an attacker from being able to manipulate the location of the URL redirection. + +## How to get the fix + +To implement a fix for this vulnerability, you need to update the Kernel module. + +1. If your version of `spryker/kernel` is 3.72.0, update to version 3.72.1: + +```bash +composer require spryker/kernel:"~3.72.1" +composer show spryker/kernel # Verify the version +``` + +2. If your version of `spryker/kernel` is 3.71.0 or 3.71.1, update to version 3.71.2: + +```bash +composer require spryker/kernel:"~3.71.2" +composer show spryker/kernel # Verify the version +``` + +3. If your version of `spryker/kernel` is 3.70.0, update to version 3.70.1: + +```bash +composer require spryker/kernel:"~3.70.1" +composer show spryker/kernel # Verify the version +``` + +4. If your version of `spryker/kernel` is earlier than 3.69.0, update to version 3.68.1: + +```bash +composer require spryker/kernel:"~3.68.1" +composer show spryker/kernel # Verify the version +``` + + +## Brute-force Attacks in BackOffice Portal + +The BackOffice and Merchant portals were prone to brute-force attacks. By exploiting this type of vulnerability, an attacker was able to systematically attempt different combinations of usernames and passwords against the login pages of the affected portals until a valid combination is identified. + +## Affected modules + +spryker/security-blocker: 1.0.0-1.1.1 + +## Introduced changes + +Maximum login attempts and blocking time can be configured for the affected portals. + +## How to get the fix + +1. Upgrade the `spryker/security-blocker` module version to 1.2.0: + +```bash +composer require spryker/security-blocker:"~1.2.0" +composer show spryker/security-blocker # Verify the version +``` + +2. Upgrade the `spryker/error-handler` module version to 2.8.0: + +```bash +composer require spryker/error-handler:"~2.8.0" +composer show spryker/error-handler # Verify the version +``` + +3. Install the `spryker/security-blocker-backoffice` module version 1.0.0: + +```bash +composer require spryker/security-blocker-backoffice:"~1.0.0" +composer show spryker/security-blocker-backoffice # Verify the version +``` + +4. Install the `spryker/security-blocker-backoffice-gui` module version 1.0.0: + +```bash +composer require spryker/security-blocker-backoffice-gui:"~1.0.0" +composer show spryker/security-blocker-backoffice-gui # Verify the version +``` + +5. Install the `spryker/security-blocker-storefront-customer` module version 1.0.0: + +```bash +composer require spryker/security-blocker-storefront-customer:"~1.0.0" +composer show spryker/security-blocker-storefront-customer # Verify the version +``` + +6. Install the `spryker/security-blocker-storefront-agent` module version 1.0.0: + +```bash +composer require spryker/security-blocker-storefront-agent:"~1.0.0" +composer show spryker/security-blocker-storefront-agent # Verify the version +``` + +7. Generate transfers: + +```bash +console transfer:generate +``` + +8. Add configuration to `config/Shared/config_default.php` : + +```bash +// >>> Security Blocker Storefront Agent +$config[SecurityBlockerStorefrontAgentConstants::AGENT_BLOCK_FOR_SECONDS] = 360; +$config[SecurityBlockerStorefrontAgentConstants::AGENT_BLOCKING_TTL] = 900; +$config[SecurityBlockerStorefrontAgentConstants::AGENT_BLOCKING_NUMBER_OF_ATTEMPTS] = 9; + +// >>> Security Blocker Storefront Customer +$config[SecurityBlockerStorefrontCustomerConstants::CUSTOMER_BLOCK_FOR_SECONDS] = 360; +$config[SecurityBlockerStorefrontCustomerConstants::CUSTOMER_BLOCKING_TTL] = 900; +$config[SecurityBlockerStorefrontCustomerConstants::CUSTOMER_BLOCKING_NUMBER_OF_ATTEMPTS] = 9; + +// >>> Security Blocker BackOffice user +$config[SecurityBlockerBackofficeConstants::BACKOFFICE_USER_BLOCKING_TTL] = 900; +$config[SecurityBlockerBackofficeConstants::BACKOFFICE_USER_BLOCK_FOR_SECONDS] = 360; +$config[SecurityBlockerBackofficeConstants::BACKOFFICE_USER_BLOCKING_NUMBER_OF_ATTEMPTS] = 9; +``` + +9. Add translations to `data/import/common/common/glossary.csv` : + +```bash +security_blocker_backoffice_gui.error.account_blocked,"Too many log in attempts from your address. Please wait %minutes% minutes before trying again.",en_US +security_blocker_backoffice_gui.error.account_blocked,"Warten Sie bitte %minutes% Minuten, bevor Sie es erneut versuchen.",de_DE +``` + +10. Import glossary: + +```bash +console data:import:glossary +``` + +11. Register plugins in `SecurityBlockerDependencyProvider`: + +```bash + + */ + protected function getSecurityBlockerConfigurationSettingsExpanderPlugins(): array + { + return [ + new BackofficeUserSecurityBlockerConfigurationSettingsExpanderPlugin(), + new AgentSecurityBlockerConfigurationSettingsExpanderPlugin(), + new CustomerSecurityBlockerConfigurationSettingsExpanderPlugin(), + ]; + } +} +``` + +12. Adjust `src/Pyz/Zed/ErrorHandler/ErrorHandlerConfig.php` : + +```bash + + */ + public function getValidSubRequestExceptionStatusCodes(): array + { + return array_merge( + parent::getValidSubRequestExceptionStatusCodes(), + [ + Response::HTTP_TOO_MANY_REQUESTS, + ], + ); + } +} +``` + +13. Register plugins in `src/Pyz/Zed/EventDispatcher/EventDispatcherDependencyProvider.php` : + +```bash +class EventDispatcherDependencyProvider extends SprykerEventDispatcherDependencyProvider +{ +... + protected function getEventDispatcherPlugins(): array + { + return [ + ... + new SecurityBlockerBackofficeUserEventDispatcherPlugin(), + ]; + } +... +``` + +In case Merchant Portal is also installed, the below should be followed: + +1. Install the `spryker/security-blocker-merchant-portal` module version 1.0.0: + +```bash +composer require spryker/security-blocker-merchant-portal:"~1.0.0" +composer show spryker/security-blocker-merchant-portal # Verify the version +``` + +2. Install the `spryker/security-blocker-merchant-portal-gui` module version 1.0.0: + +```bash +composer require spryker/security-blocker-merchant-portal-gui:"~1.0.0" +composer show spryker/security-blocker-merchant-portal-gui # Verify the version +``` + +3. Generate transfers: + +```bash +console transfer:generate +``` + +4. Register plugins in `src/Pyz/Zed/EventDispatcher/EventDispatcherDependencyProvider.php` : + +```bash +class EventDispatcherDependencyProvider extends SprykerEventDispatcherDependencyProvider +{ +... + protected function getEventDispatcherPlugins(): array + { + return [ + ... + new SecurityBlockerMerchantPortalUserEventDispatcherPlugin(), + ]; + } +... +``` + +5. Register plugins in `SecurityBlockerDependencyProvider`: + +```bash + + */ + protected function getSecurityBlockerConfigurationSettingsExpanderPlugins(): array + { + return [ + ... + new MerchantPortalUserSecurityBlockerConfigurationSettingsExpanderPlugin(), + ]; + } +} +``` + +6. Add configuration to `config/Shared/config_default.php` : + +```bash +// >>> Security Blocker MerchantPortal user +$config[SecurityBlockerMerchantPortalConstants::MERCHANT_PORTAL_USER_BLOCK_FOR_SECONDS] = 360; +$config[SecurityBlockerMerchantPortalConstants::MERCHANT_PORTAL_USER_BLOCKING_TTL] = 900; +$config[SecurityBlockerMerchantPortalConstants::MERCHANT_PORTAL_USER_BLOCKING_NUMBER_OF_ATTEMPTS] = 9; +``` + +7. Add translations to `data/import/common/common/glossary.csv` : + +```bash +security_blocker_merchant_portal_gui.error.account_blocked,"Too many log in attempts from your address. Please wait %minutes% minutes before trying again.",en_US +security_blocker_merchant_portal_gui.error.account_blocked,"Warten Sie bitte %minutes% Minuten, bevor Sie es erneut versuchen.",de_DE +``` + +8. Import glossary: + +```bash +console data:import:glossary +``` \ No newline at end of file From 99be8b07f2d8bf8af7392a6c970a6c6f5f3a519c Mon Sep 17 00:00:00 2001 From: Vadym Sachenko Date: Tue, 20 Jun 2023 14:50:26 +0300 Subject: [PATCH 2/6] review --- _data/sidebars/scos_user_sidebar.yml | 4 +- .../security-release-notes-202306.0.md | 62 +++++++++---------- 2 files changed, 33 insertions(+), 33 deletions(-) diff --git a/_data/sidebars/scos_user_sidebar.yml b/_data/sidebars/scos_user_sidebar.yml index d50f486417d..67eb7d30881 100644 --- a/_data/sidebars/scos_user_sidebar.yml +++ b/_data/sidebars/scos_user_sidebar.yml @@ -12,11 +12,13 @@ entries: - title: Release notes url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes.html nested: + - title: Release notes 202306.0 + url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.html - title: Release notes 202304.0 nested: - title: Security release notes 202304.0 url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202304.0/security-release-notes-202304.0.html - - title: Relese notes 202302.0 + - title: Release notes 202302.0 nested: - title: Security release notes 202302.0 url: /docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202302.0/security-release-notes-202302.0.html diff --git a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md index e9bcba299fd..3dbb9427066 100644 --- a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md +++ b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md @@ -1,7 +1,7 @@ --- title: Security release notes 202306.0 description: Security release notes for the Spryker Product release 202306.0 -last_updated: 20/06/2023 +last_updated: Jun 21, 2023 template: concept-topic-template --- @@ -10,26 +10,26 @@ The following information pertains to security-related issues that have been rec If you need any additional support with this content, [contact our support](mailto:support@spryker.com). If you found a new security vulnerability, inform us through [security@spryker.com](mailto:security@spryker.com). -## Stored XSS in Product Pages +## Stored XSS in product pages -Administrators can place a malicious payload into the description section of new and existing product pages in the Back Office application. This payload is then executed to all users of the shop that visit the affected product pages, resulting in an Cross-Site Scripting (XSS) vulnerability. +Administrators can place a malicious payload into the description section of new and existing product pages in the Back Office application. This payload is then executed to all users of the shop that visit the affected product pages, resulting in a Cross-Site Scripting (XSS) vulnerability. ## Affected modules -spryker/product-management: 0.19.3 - 0.19.35 +`spryker/product-management`: 0.19.3 - 0.19.35 ## Introduced changes -Sanitisation controls have been implemented to prevent input of malicious payloads within product forms. +Sanitization controls have been implemented to prevent the input of malicious payloads within product forms. ## How to get the fix To implement a fix for this vulnerability, the ProductManagement module should be updated to version 0.19.36. -If your version of `spryker/product-management` is earlier than 0.19.35, follow the below instructions: +If your version of `spryker/product-management` is earlier than 0.19.35, follow these steps: -1. Upgrade the `spryker/store` module to version 1.19.0 and `spryker/zed-request-extension` to version 1.1.0 +1. Upgrade the `spryker/store` module to version 1.19.0 and `spryker/zed-request-extension` to version 1.1.0: ```bash composer require spryker/store:"~1.19.0" spryker/zed-request-extension:"~1.1.0" @@ -37,7 +37,7 @@ composer show spryker/store # Verify the version composer show spryker/zed-request-extension # Verify the version ``` -2. Upgrade the `spryker/product-management` module to version 0.19.36 +2. Upgrade the `spryker/product-management` module to version 0.19.36: ```bash composer require spryker/product-management:"~0.19.36" spryker/gui:"~3.48.0" spryker/util-sanitize-xss:"~1.1.0" @@ -47,11 +47,11 @@ composer show spryker/product-management # Verify the version ## Cross-company Role Manipulation -Due to missing access validation controls on the back-end, an administrator user of a company was able to create and update roles for other companies. This attack was possible by manipulating the company ID parameter included in the HTTP requests of the role creation functionality. +Due to missing access validation controls on the backend, an administrator user of a company was able to create and update roles for other companies. This attack was possible by manipulating the company ID parameter included in the HTTP requests of the role creation functionality. ## Affected modules -spryker-shop/company-page: 1.0.0 - 2.21.0 +`spryker-shop/company-page`: 1.0.0-2.21.0 ## Introduced changes @@ -60,9 +60,9 @@ Access validation controls have been implemented to prevent administrators from ## How to get the fix -The update requires PHP 8 to be installed. If you are using PHP 7, please see [PHP 8.0 as the minimum version for all Spryker projects](https://docs.spryker.com/docs/scos/user/intro-to-spryker/whats-new/php8-as-a-minimum-version-for-all-spryker-projects.html). +The update requires PHP 8 to be installed. If you are using PHP 7, see [PHP 8.0 as the minimum version for all Spryker projects](https://docs.spryker.com/docs/scos/user/intro-to-spryker/whats-new/php8-as-a-minimum-version-for-all-spryker-projects.html). -To implement a fix for this vulnerability, upgrade the CompanyPage module to version 2.22.0: +To implement a fix for this vulnerability, upgrade the company page module to version 2.22.0: ```bash composer require spryker-shop/company-page:"~2.22.0" @@ -72,12 +72,11 @@ composer show spryker-shop/company-page # Verify the version ## Unvalidated URL Redirection -Attackers were able to bypass the redirect URL validation for URLs provided through the GET request parameter and control the website that the user is redirected to. This type of vulnerability can be used in conjunction with social engineering in order to coerce a victim into navigating to a malicious resource or location. +Attackers were able to bypass the redirect URL validation for URLs provided through the GET request parameter and control the website that the user is redirected to. This type of vulnerability can be used in conjunction with social engineering to coerce a victim into navigating to a malicious resource or location. ## Affected modules -spryker/kernel: 1.0.0-3.72.0 - +`spryker/kernel`: 1.0.0-3.72.0 ## Introduced changes @@ -85,44 +84,43 @@ Additional validation controls have been implemented to prevent an attacker from ## How to get the fix -To implement a fix for this vulnerability, you need to update the Kernel module. +To implement a fix for this vulnerability, update the Kernel module: -1. If your version of `spryker/kernel` is 3.72.0, update to version 3.72.1: +* If your version of `spryker/kernel` is 3.72.0, update to version 3.72.1: ```bash composer require spryker/kernel:"~3.72.1" composer show spryker/kernel # Verify the version ``` -2. If your version of `spryker/kernel` is 3.71.0 or 3.71.1, update to version 3.71.2: +* If your version of `spryker/kernel` is 3.71.0 or 3.71.1, update to version 3.71.2: ```bash composer require spryker/kernel:"~3.71.2" composer show spryker/kernel # Verify the version ``` -3. If your version of `spryker/kernel` is 3.70.0, update to version 3.70.1: +* If your version of `spryker/kernel` is 3.70.0, update to version 3.70.1: ```bash composer require spryker/kernel:"~3.70.1" composer show spryker/kernel # Verify the version ``` -4. If your version of `spryker/kernel` is earlier than 3.69.0, update to version 3.68.1: +* If your version of `spryker/kernel` is earlier than 3.69.0, update to version 3.68.1: ```bash composer require spryker/kernel:"~3.68.1" composer show spryker/kernel # Verify the version ``` +## Brute-force Attacks in the Back Office -## Brute-force Attacks in BackOffice Portal - -The BackOffice and Merchant portals were prone to brute-force attacks. By exploiting this type of vulnerability, an attacker was able to systematically attempt different combinations of usernames and passwords against the login pages of the affected portals until a valid combination is identified. +The Back Office and Merchant portals were prone to brute-force attacks. By exploiting this type of vulnerability, an attacker was able to systematically attempt different combinations of usernames and passwords against the login pages of the affected portals until a valid combination is identified. ## Affected modules -spryker/security-blocker: 1.0.0-1.1.1 +`spryker/security-blocker`: 1.0.0-1.1.1 ## Introduced changes @@ -178,7 +176,7 @@ composer show spryker/security-blocker-storefront-agent # Verify the version console transfer:generate ``` -8. Add configuration to `config/Shared/config_default.php` : +8. Add configuration to `config/Shared/config_default.php`: ```bash // >>> Security Blocker Storefront Agent @@ -197,7 +195,7 @@ $config[SecurityBlockerBackofficeConstants::BACKOFFICE_USER_BLOCK_FOR_SECONDS] = $config[SecurityBlockerBackofficeConstants::BACKOFFICE_USER_BLOCKING_NUMBER_OF_ATTEMPTS] = 9; ``` -9. Add translations to `data/import/common/common/glossary.csv` : +9. Add translations to `data/import/common/common/glossary.csv`: ```bash security_blocker_backoffice_gui.error.account_blocked,"Too many log in attempts from your address. Please wait %minutes% minutes before trying again.",en_US @@ -238,7 +236,7 @@ class SecurityBlockerDependencyProvider extends SprykerSecurityBlockerDependency } ``` -12. Adjust `src/Pyz/Zed/ErrorHandler/ErrorHandlerConfig.php` : +12. Adjust `src/Pyz/Zed/ErrorHandler/ErrorHandlerConfig.php`: ```bash >> Security Blocker MerchantPortal user @@ -363,7 +361,7 @@ $config[SecurityBlockerMerchantPortalConstants::MERCHANT_PORTAL_USER_BLOCKING_TT $config[SecurityBlockerMerchantPortalConstants::MERCHANT_PORTAL_USER_BLOCKING_NUMBER_OF_ATTEMPTS] = 9; ``` -7. Add translations to `data/import/common/common/glossary.csv` : +7. Add translations to `data/import/common/common/glossary.csv`: ```bash security_blocker_merchant_portal_gui.error.account_blocked,"Too many log in attempts from your address. Please wait %minutes% minutes before trying again.",en_US From 78b39a4b46576f6b9e44a72649cd05664a7852da Mon Sep 17 00:00:00 2001 From: Vadym Sachenko Date: Tue, 20 Jun 2023 15:07:08 +0300 Subject: [PATCH 3/6] Update security-release-notes-202306.0.md review --- .../release-notes-202306.0/security-release-notes-202306.0.md | 4 ---- 1 file changed, 4 deletions(-) diff --git a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md index 3dbb9427066..ba59fc4842c 100644 --- a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md +++ b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md @@ -9,7 +9,6 @@ The following information pertains to security-related issues that have been rec If you need any additional support with this content, [contact our support](mailto:support@spryker.com). If you found a new security vulnerability, inform us through [security@spryker.com](mailto:security@spryker.com). - ## Stored XSS in product pages Administrators can place a malicious payload into the description section of new and existing product pages in the Back Office application. This payload is then executed to all users of the shop that visit the affected product pages, resulting in a Cross-Site Scripting (XSS) vulnerability. @@ -18,7 +17,6 @@ Administrators can place a malicious payload into the description section of new `spryker/product-management`: 0.19.3 - 0.19.35 - ## Introduced changes Sanitization controls have been implemented to prevent the input of malicious payloads within product forms. @@ -44,7 +42,6 @@ composer require spryker/product-management:"~0.19.36" spryker/gui:"~3.48.0" spr composer show spryker/product-management # Verify the version ``` - ## Cross-company Role Manipulation Due to missing access validation controls on the backend, an administrator user of a company was able to create and update roles for other companies. This attack was possible by manipulating the company ID parameter included in the HTTP requests of the role creation functionality. @@ -53,7 +50,6 @@ Due to missing access validation controls on the backend, an administrator user `spryker-shop/company-page`: 1.0.0-2.21.0 - ## Introduced changes Access validation controls have been implemented to prevent administrators from being able to create and edit roles for other companies. From 17050370e575c791ac0ac5ea13de6924ca18ac6d Mon Sep 17 00:00:00 2001 From: Vadym Sachenko Date: Tue, 20 Jun 2023 17:07:50 +0300 Subject: [PATCH 4/6] Update security-release-notes-202306.0.md review --- .../security-release-notes-202306.0.md | 46 +++++++++---------- 1 file changed, 23 insertions(+), 23 deletions(-) diff --git a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md index ba59fc4842c..d8529de9e75 100644 --- a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md +++ b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md @@ -13,15 +13,15 @@ If you need any additional support with this content, [contact our support](mail Administrators can place a malicious payload into the description section of new and existing product pages in the Back Office application. This payload is then executed to all users of the shop that visit the affected product pages, resulting in a Cross-Site Scripting (XSS) vulnerability. -## Affected modules +### Affected modules `spryker/product-management`: 0.19.3 - 0.19.35 -## Introduced changes +### Introduced changes Sanitization controls have been implemented to prevent the input of malicious payloads within product forms. -## How to get the fix +### How to get the fix To implement a fix for this vulnerability, the ProductManagement module should be updated to version 0.19.36. @@ -42,19 +42,19 @@ composer require spryker/product-management:"~0.19.36" spryker/gui:"~3.48.0" spr composer show spryker/product-management # Verify the version ``` -## Cross-company Role Manipulation +## Cross-company role manipulation Due to missing access validation controls on the backend, an administrator user of a company was able to create and update roles for other companies. This attack was possible by manipulating the company ID parameter included in the HTTP requests of the role creation functionality. -## Affected modules +### Affected modules `spryker-shop/company-page`: 1.0.0-2.21.0 -## Introduced changes +### Introduced changes Access validation controls have been implemented to prevent administrators from being able to create and edit roles for other companies. -## How to get the fix +### How to get the fix The update requires PHP 8 to be installed. If you are using PHP 7, see [PHP 8.0 as the minimum version for all Spryker projects](https://docs.spryker.com/docs/scos/user/intro-to-spryker/whats-new/php8-as-a-minimum-version-for-all-spryker-projects.html). @@ -66,19 +66,19 @@ composer show spryker-shop/company-page # Verify the version ``` -## Unvalidated URL Redirection +## Unvalidated URL redirection Attackers were able to bypass the redirect URL validation for URLs provided through the GET request parameter and control the website that the user is redirected to. This type of vulnerability can be used in conjunction with social engineering to coerce a victim into navigating to a malicious resource or location. -## Affected modules +### Affected modules `spryker/kernel`: 1.0.0-3.72.0 -## Introduced changes +### Introduced changes Additional validation controls have been implemented to prevent an attacker from being able to manipulate the location of the URL redirection. -## How to get the fix +### How to get the fix To implement a fix for this vulnerability, update the Kernel module: @@ -114,15 +114,15 @@ composer show spryker/kernel # Verify the version The Back Office and Merchant portals were prone to brute-force attacks. By exploiting this type of vulnerability, an attacker was able to systematically attempt different combinations of usernames and passwords against the login pages of the affected portals until a valid combination is identified. -## Affected modules +### Affected modules `spryker/security-blocker`: 1.0.0-1.1.1 -## Introduced changes +### Introduced changes Maximum login attempts and blocking time can be configured for the affected portals. -## How to get the fix +### How to get the fix 1. Upgrade the `spryker/security-blocker` module version to 1.2.0: @@ -174,7 +174,7 @@ console transfer:generate 8. Add configuration to `config/Shared/config_default.php`: -```bash +```php // >>> Security Blocker Storefront Agent $config[SecurityBlockerStorefrontAgentConstants::AGENT_BLOCK_FOR_SECONDS] = 360; $config[SecurityBlockerStorefrontAgentConstants::AGENT_BLOCKING_TTL] = 900; @@ -193,7 +193,7 @@ $config[SecurityBlockerBackofficeConstants::BACKOFFICE_USER_BLOCKING_NUMBER_OF_A 9. Add translations to `data/import/common/common/glossary.csv`: -```bash +```csv security_blocker_backoffice_gui.error.account_blocked,"Too many log in attempts from your address. Please wait %minutes% minutes before trying again.",en_US security_blocker_backoffice_gui.error.account_blocked,"Warten Sie bitte %minutes% Minuten, bevor Sie es erneut versuchen.",de_DE ``` @@ -206,7 +206,7 @@ console data:import:glossary 11. Register plugins in `SecurityBlockerDependencyProvider`: -```bash +```php >> Security Blocker MerchantPortal user $config[SecurityBlockerMerchantPortalConstants::MERCHANT_PORTAL_USER_BLOCK_FOR_SECONDS] = 360; $config[SecurityBlockerMerchantPortalConstants::MERCHANT_PORTAL_USER_BLOCKING_TTL] = 900; @@ -359,7 +359,7 @@ $config[SecurityBlockerMerchantPortalConstants::MERCHANT_PORTAL_USER_BLOCKING_NU 7. Add translations to `data/import/common/common/glossary.csv`: -```bash +```csv security_blocker_merchant_portal_gui.error.account_blocked,"Too many log in attempts from your address. Please wait %minutes% minutes before trying again.",en_US security_blocker_merchant_portal_gui.error.account_blocked,"Warten Sie bitte %minutes% Minuten, bevor Sie es erneut versuchen.",de_DE ``` From 5360af38ef3038fe22e3ecbac1cb90efd7ab286e Mon Sep 17 00:00:00 2001 From: ppechlivanis-spryker <128505516+ppechlivanis-spryker@users.noreply.github.com> Date: Mon, 26 Jun 2023 11:18:30 +0300 Subject: [PATCH 5/6] Add 2 security vulnerabilities in security-release-notes-202306.0.md --- .../security-release-notes-202306.0.md | 152 +++++++++++++++++- 1 file changed, 151 insertions(+), 1 deletion(-) diff --git a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md index d8529de9e75..a26468d6465 100644 --- a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md +++ b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md @@ -368,4 +368,154 @@ security_blocker_merchant_portal_gui.error.account_blocked,"Warten Sie bitte %mi ```bash console data:import:glossary -``` \ No newline at end of file +``` + +## Weak Input Validation for Customer Address Field + +The parameters related to the address field had insufficient server-side input validation. By supplying invalid or potentially malicious parameter values, an attacker might be able to cause the server in responding in an unexpected way. + +### Affected modules + +`spryker-shop/customer-page`: 0.1.0 - 2.41.0 +`spryker-shop/company-page`: 0.0.1 - 2.22.0 +`spryker/customer`: 0.20.0 - 7.51.2 +`spryker/company-unit-address-gui`: 0.1.0 - 1.3.0 +`spryker/merchant-profile-gui`: 0.1.0 - 1.2.0 + +### Introduced changes + +Input validation controls have been implemented server-side for validating address submitted values. + +### How to get the fix + +To implement a fix for this vulnerability, the ShopUi, CustomerPage, CompanyPage, Customer, CompanyUnitAddressGui, and MerchantProfileGui modules should be updated: + +1. Upgrade the `spryker-shop/shop-ui` module to at least version 1.70.0: + +```bash +composer require spryker-shop/shop-ui:"^1.70.0" +composer show spryker-shop/customer-page # Verify the version +``` + +2. Add the SanitizeXssTypeExtensionFormPlugin plugin to FormDependencyProvider: +src/Pyz/Yves/Form/FormDependencyProvider.php + +```bash + + */ + protected function getFormPlugins(): array + { + return [ + new SanitizeXssTypeExtensionFormPlugin(), + ]; + } +} +``` + +3. Upgrade the `spryker-shop/customer-page` module to version 2.42.0: + +```bash +composer require spryker-shop/customer-page:"~2.42.0" +composer show spryker-shop/customer-page # Verify the version +``` + +4. Upgrade the `spryker-shop/company-page` module to version 2.23.0: + +```bash +composer require spryker-shop/company-page:"~2.23.0" +composer show spryker-shop/company-page # Verify the version +``` + +5. Upgrade the `spryker/customer` module: + +5.1 If your version of `spryker/customer` is 7.42.0 and later, update it to version 7.51.3: + +```bash +composer require spryker/customer:"~7.51.3" +composer show spryker/customer # Verify the version +``` + +5.2 If your version of `spryker/customer` is earlier than 7.42.0, update it to version 7.42.1: + +```bash +composer require spryker/customer:"~7.42.1" +composer show spryker/customer # Verify the version +``` + +5.3 If your version of `spryker/customer` is earlier than 7.50.0, update to version 7.50.1: + +```bash +composer require spryker/customer:"~7.50.1" +composer show spryker/customer # Verify the version +``` + +6. Upgrade the `spryker/company-unit-address-gui` module to version 1.3.1: + +```bash +composer require spryker/company-unit-address-gui:"~1.3.1" +composer show spryker/company-unit-address-gui # Verify the version +``` + +7. Upgrade the `spryker/merchant-profile-gui` module version to 1.2.1: + +```bash +composer require spryker/merchant-profile-gui:"~1.2.1" +composer show spryker/merchant-profile-gui # Verify the version +``` + +## Outdated Third-Party Library (guzzlehttp/psr7) + +An outdated version of the guzzlehttp/psr7 library was identified to affect Spryker’s applications. The version in use (2.4.3) was affected by a publicly know vulnerability that could allow an attacker sneak in a newline (\n) into both the header names and values (CVE-2023-29197). + +### Affected modules + +`spryker/guzzle`: 0.20.0 - 2.4.0 +`spryker/message-broker-aws`: 1.0.0 - 1.4.2 +`spryker/secrets-manager-aws`: 1.0.0 - 1.0.1 +`spryker/oauth-auth0` : 1.0.0 + +### Introduced changes + +The affected library has been upgraded. + +### How to get the fix + +To implement a fix for this vulnerability, the Guzzle, MessageBrokerAws, SecretsManagerAws, and OauthAuth0 modules should be updated: + +1. Upgrade `spryker/guzzle` module to version 2.4.1: + +```bash +composer require spryker/guzzle:"^2.4.1" +composer show spryker/guzzle # Verify the version +``` + +2. Upgrade the `spryker/message-broker-aws` module to version 1.4.3: + +```bash +composer require spryker/message-broker-aws:"^1.4.3" +composer show spryker/message-broker-aws # Verify the version +``` + +3. Upgrade the `spryker/secrets-manager-aws` module to version 1.0.2: + +```bash +composer require spryker/secrets-manager-aws:"^1.0.2" +composer show spryker/secrets-manager-aws # Verify the version +``` + +4. Upgrade the `spryker/oauth-auth0` module to version 1.0.1: + +```bash +composer require spryker/oauth-auth0:"^1.0.1" +composer show spryker/oauth-auth0 # Verify the version +``` From e160eab58ded8cbf5f9290156d2c3e1d2977d94c Mon Sep 17 00:00:00 2001 From: Helen Kravchenko Date: Mon, 26 Jun 2023 11:17:59 +0200 Subject: [PATCH 6/6] Fixing the added sections --- .../security-release-notes-202306.0.md | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md index a26468d6465..0cccd3b767a 100644 --- a/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md +++ b/docs/scos/user/intro-to-spryker/releases/release-notes/release-notes-202306.0/security-release-notes-202306.0.md @@ -370,9 +370,9 @@ security_blocker_merchant_portal_gui.error.account_blocked,"Warten Sie bitte %mi console data:import:glossary ``` -## Weak Input Validation for Customer Address Field +## Weak input validation for the customer address field -The parameters related to the address field had insufficient server-side input validation. By supplying invalid or potentially malicious parameter values, an attacker might be able to cause the server in responding in an unexpected way. +The parameters related to the address field had insufficient server-side input validation. By supplying invalid or potentially malicious parameter values, an attacker might be able to cause the server to respond in an unexpected way. ### Affected modules @@ -384,11 +384,11 @@ The parameters related to the address field had insufficient server-side input v ### Introduced changes -Input validation controls have been implemented server-side for validating address submitted values. +Input validation controls have been implemented on the server side to validate values submitted in the address field. ### How to get the fix -To implement a fix for this vulnerability, the ShopUi, CustomerPage, CompanyPage, Customer, CompanyUnitAddressGui, and MerchantProfileGui modules should be updated: +To implement a fix for this vulnerability, update the ShopUi, CustomerPage, CompanyPage, Customer, CompanyUnitAddressGui, and MerchantProfileGui modules: 1. Upgrade the `spryker-shop/shop-ui` module to at least version 1.70.0: @@ -397,7 +397,7 @@ composer require spryker-shop/shop-ui:"^1.70.0" composer show spryker-shop/customer-page # Verify the version ``` -2. Add the SanitizeXssTypeExtensionFormPlugin plugin to FormDependencyProvider: +2. Add the `SanitizeXssTypeExtensionFormPlugin` plugin to `FormDependencyProvider`: src/Pyz/Yves/Form/FormDependencyProvider.php ```bash @@ -452,7 +452,7 @@ composer require spryker/customer:"~7.42.1" composer show spryker/customer # Verify the version ``` -5.3 If your version of `spryker/customer` is earlier than 7.50.0, update to version 7.50.1: +5.3 If your version of `spryker/customer` is earlier than 7.50.0, update it to version 7.50.1: ```bash composer require spryker/customer:"~7.50.1" @@ -473,9 +473,9 @@ composer require spryker/merchant-profile-gui:"~1.2.1" composer show spryker/merchant-profile-gui # Verify the version ``` -## Outdated Third-Party Library (guzzlehttp/psr7) +## Outdated third-party library guzzlehttp/psr7 -An outdated version of the guzzlehttp/psr7 library was identified to affect Spryker’s applications. The version in use (2.4.3) was affected by a publicly know vulnerability that could allow an attacker sneak in a newline (\n) into both the header names and values (CVE-2023-29197). +An outdated version of the _guzzlehttp/psr7_ library was identified to affect Spryker’s applications. The version in use, 2.4.3, was affected by a publicly known vulnerability that could allow an attacker to sneak in a newline (\n) into both the header names and values (CVE-2023-29197). ### Affected modules @@ -490,9 +490,9 @@ The affected library has been upgraded. ### How to get the fix -To implement a fix for this vulnerability, the Guzzle, MessageBrokerAws, SecretsManagerAws, and OauthAuth0 modules should be updated: +To implement a fix for this vulnerability, update the Guzzle, MessageBrokerAws, SecretsManagerAws, and OauthAuth0 modules: -1. Upgrade `spryker/guzzle` module to version 2.4.1: +1. Upgrade the `spryker/guzzle` module to version 2.4.1: ```bash composer require spryker/guzzle:"^2.4.1"