Reaction Commerce v1.17.1 Release Notes
Release Date: 2018-11-26 // over 5 years ago-
v1.17.1
π Security Release
π This security release addresses to potential vulnerabilities
π§ We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.
β Remove dependency on
event-streamEvent Stream Dependency Removal
π This fix removes a dependency on
event-streamintroduced bynodemonviapstreeby bumpingnodemonandpstree.remythroughnodemonto a version that does not includepstree.π event-stream had a malicious bit of code added to version
3.3.6which has since been removed from github and appears to have specifically targeted copay.From the original post in the
event-streamrepo:Am I affected?:
π > If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:$ npm ls event-stream flatmap-stream ... [email protected] ...
What does it do :
π° > Other users have done some good analysis of what these payloads actually do.
dominictarr/event-stream#116 (comment)
dominictarr/event-stream#116 (comment)
dominictarr/event-stream#116 (comment)What can I do:
π > By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.π See the issue on the
event-streamrepo for more information: dominictarr/event-stream#116Reaction Social Issue Overview
π This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and itβs unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
Vulnerability
π§ | oAuth Service Configuration Publication Vulnerability | | Severity | High | | Description | oAuth social plugin secrets could be shared with unauthenticated users via a publication. | | Affected Installations | Any shops with a configured Facebook appSecret in the Reaction Social dashboard. | | Affected Versions | All versions greater or equal to v0.5.3 | | Remediation | Apply patch or upgrade to patched version of Reaction Commerce. |
Patches
π Patches are attached to this release.
π Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
π» Two patch files for removing the UI dependent on software version
π»fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patch
π»fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patch
π Version specific migration patch file for removing the appSecret from the database
fb-app-secret-migration-v2.0.0-rc.6-2018-11-19.patch
fb-app-secret-migration-v1.17.0-2018-11-19.patch
fb-app-secret-migration-v1.16.0-2018-11-19.patch
fb-app-secret-migration-v1.15.0-2018-11-19.patch
fb-app-secret-migration-v1.14.0-2018-11-19.patch
fb-app-secret-migration-v1.13.0-2018-11-19.patch
fb-app-secret-migration-v1.12.0-2018-11-19.patch
fb-app-secret-migration-v1.11.0-2018-11-19.patch
fb-app-secret-migration-v1.10.0-2018-11-19.patchRecommendations
Option 1: Install patched version of Reaction Commerce
β If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Option 2: Patch it yourself
β Remove Facebook App Secret from social plugin settings
Check the social settings operator panel. It can be accessed by clicking an icon (the "share-alt" icon) towards the bottom of the operator sidebar on the right of the screen
π Inside of the social settings panel, you will see the settings page for Facebook - if you have an βApp Secretβ configured in this section, remove it.
π If you prefer to do this with a migration, you can use the
fb-app-secret-migration-v1.{your-version}.x-2018-11-19.patchmigration patch that is appropriate for your version of Reaction. If youβre using an older version of Reaction and want to use a migration to unset the app secret, please contact [email protected] if you need assistance patching your version.Patch Reaction Commerce
π Apply patches to your version of Reaction Commerce. There are different patches for different versions of Reaction Commerce. These patches will remove the UI that permitted shop operators to add the Facebook App Secret to the social plugin panel.
β v1.14.0 - latest
π»fb-app-secret-ui-v1.14.0-v2.0.0-rc.6-2018-11-19.patchv0.14.0 - v1.13.2
π»fb-app-secret-ui-v0.14.0-v1.13.2-2018-11-19.patchπ If youβre running a production shop on a version older than v0.14.0, please contact [email protected] for assistance in determining if patching the operator panel is necessary for your version.
Invalidate Existing Secrets
If you found a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
Generate New Secrets
If you used this App Secret in any other applications or for Facebook oAuth login, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.