Security Bulletin 2018-001
- CVE Identifier: CVE-2018-5763
- CVSS Score: 4.9
- Release Date: January 30th 2018
The following vulnerability has been identified:
Synopsis
An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated and Varnish is used (denial of service/DoS).
State
- until now, no 0-day exploit is known
- resolved, patch releases as well as workarounds available
Impact
By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used.
Affected products, releases and platforms
Products:
- OXID eShop Enterprise Edition (“EE”)
Releases:
- All OXID eShop versions up to 5.3.x
- All OXID eShop 6 (version 6.0.0)
Platforms:
- Named above releases are affected on all platforms
Resolution
The issue has already been resolved in the following releases:
- OXID eShop Enterprise Edition v6.0.1
- OXID eShop Enterprise Edition v5.3.7
Bug tracker entry (will remain in “private” state): https://bugs.oxid-esales.com/view.php?id=6678
Workarounds
Please apply the following fix to Varnish default.vcl state – vcl_recv:
if (req.esi_level > 1 && req.url !~ "&cl=oxwarticlebox") {
return (synth(405, "Not allowed."));
}This prevents from displaying any widget in widget except of oxwarticlebox which OXID uses in oxwarticledetails widget. However, please make sure your shop doesn’t use other widgets in a widget (that no widget return ESI include).
Credits
Many thanks to Timo Terhaar at Laudert. who found this security issue and immediately reported it.
Stay up-to-date
To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.
How to report security issues
Learn how to report security issues in the Security overview page.
OXID eSales AG
Start the discussion at OXID forums