Reaction Commerce v2.0.0-rc.7 Release NotesRelease Date: 2018-11-27 // over 3 years ago
🚀 Security Release
🚀 This security release addresses to potential vulnerabilities
🔧 We discovered a vulnerability that affects shops built on Reaction Commerce that use the Reaction-Social plugin with Facebook and the Facebook App Secret configured. More details on this issue below.
✂ Remove dependency on
Event Stream Dependency Removal
🚚 This fix removes a dependency on
nodemonto a version that does not include
From the original post in the
Am I affected?:
👀 > If you are using anything crypto-currency related, then maybe. As discovered by @maths22, the target seems to have been identified as copay related libraries. It only executes successfully when a matching package is in use (assumed to by copay at this point). If you are using a crypto-currency related library and if you see [email protected] after running npm ls event-stream flatmap-stream, you are most likely affected. For example:
$ npm ls event-stream flatmap-stream ... [email protected] ...
What does it do :
🛰 > Other users have done some good analysis of what these payloads actually do.
What can I do:
🚀 > By this time fixes are being deployed and npm has yanked the malicious version. Ensure that the developer(s) of the package you are using are aware of this post. If you are a developer update your event-stream dependency to [email protected]. This protects people with cached versions of event-stream.
📦 Snyk has a great writeup about this issue in their blog: https://snyk.io/blog/malicious-code-found-in-npm-package-event-stream.
👀 See the issue on the
event-streamrepo for more information: dominictarr/event-stream#116
Reaction Social Issue Overview
🚀 This vulnerability has been present in every release that included the Reaction Social plugin. The App Secret is not used by Reaction Social and it’s unclear why the form for it was added to the application originally. It was introduced by a community contribution when the Reaction Social plugin was originally created. The App Secret should be removed from the Reaction Social panel. This will not have impact on the use of Facebook oAuth login which is set separately in the login services dashboard. If the same secret was used, it should be reset and a new token should be used for oAuth login via Facebook.
🔧 | oAuth Service Configuration Publication Vulnerability | | Severity | High | | Description | oAuth social plugin secrets could be shared with unauthenticated users via a publication. | | Affected Installations | Any shops with a configured Facebook appSecret in the Reaction Social dashboard. | | Affected Versions | All versions greater or equal to v0.5.3 | | Remediation | Apply patch or upgrade to patched version of Reaction Commerce. |
🚀 Patches are attached to this release.
🔒 Patches will download as a .zip file named: reaction-security-patches-2018-11-19-security-social-plugin.zip which contains the following patch files once uncompressed. These files have the versions they are applicable for in the name of the file.
💻 Patch files for removing the UI dependent on software version
🔖 Version specific migration patch file for removing the appSecret from the database
Option 1: Install patched version of Reaction Commerce
✅ If you're using a version of Reaction Commerce >= v1.10.0, please install the latest patch version and run the migration included.
Invalidate Existing Secrets
If you had a Facebook App Secret listed in your operator panel, you should invalidate it immediately from the Facebook App settings page.
Generate New Secrets
If you used this App Secret in any other applications or for Facebook oAuth login within Reaction Commerce, you should generate and use a new secrets to continue to provide services to your customers. Do not add these secrets back into the social panel of Reaction Commerce.