Security Bulletin 2018-001

• CVE Identifier: CVE-2018-5763
• CVSS Score: 4.9
• Release Date: January 30th 2018

The following vulnerability has been identified:

Synopsis

An attacker is able to bring servers to standstill by calling specially crafted URLs if OXID High Performance Option is activated and Varnish is used (denial of service/DoS).

State

• until now, no 0-day exploit is known
• resolved, patch releases as well as workarounds available

Impact

By entering specially crafted URLs, an attacker is able to bring the shop server to a standstill and hence, it stops working. This is only valid if OXID High Performance Option is activated and Varnish is used.

Affected products, releases and platforms

Products:

• OXID eShop Enterprise Edition (“EE”)

Releases:

• All OXID eShop versions up to 5.3.x
• All OXID eShop 6 (version 6.0.0)

Platforms:

• Named above releases are affected on all platforms

Resolution

The issue has already been resolved in the following releases:

• OXID eShop Enterprise Edition v6.0.1
• OXID eShop Enterprise Edition v5.3.7

Bug tracker entry (will remain in “private” state): https://bugs.oxid-esales.com/view.php?id=6678

Workarounds

Please apply the following fix to Varnish default.vcl state – vcl_recv:

if (req.esi_level > 1 && req.url !~ "&cl=oxwarticlebox") {
    return (synth(405, "Not allowed."));
}

This prevents from displaying any widget in widget except of oxwarticlebox which OXID uses in oxwarticledetails widget. However, please make sure your shop doesn’t use other widgets in a widget (that no widget return ESI include).

Credits

Many thanks to Timo Terhaar at Laudert. who found this security issue and immediately reported it.

Stay up-to-date

To receive upcoming OXID Security Bulletins, please subscribe to the RSS feed: https://oxidforge.org/en/shop/development-security/feed.

How to report security issues

Learn how to report security issues in the Security overview page.