The information on the latest update

Description

This article describes a solution for a Critical vulnerability (SC2019-003-329876) in an open source plugin, named Sitecore Rocks, which is commonly used in Sitecore development environments.

Critical vulnerability SC2019-003-329876 allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

We encourage Sitecore customers and partners who are using Sitecore Rocks plugin to familiarize themselves with the information below and apply the fix to affected Sitecore systems.

If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.

Versions

Versions affected
Vulnerability SC2019-003-329876 affects all Sitecore environments where Sitecore Rocks Hard Rock Service is installed.

Versions not affected
Vulnerability SC2019-003-329876 does not affect Sitecore environments where Sitecore Rocks Hard Rock Service is not installed.

For more information about Sitecore Rocks plugin, please visit the following page: https://github.com/Sitecore/Sitecore.Rocks

Solution

Production environments

As per article Using Sitecore Rocks on Sitecore XP 9.0 and later, it is not recommended to install the Hard Rock service or enable anonymous access to the Good Old service on Sitecore production environments. If Sitecore Rocks Hard Rock Service is installed on production environment, it is recommended to uninstall it by removing the following files:

• \sitecore\shell\WebService\Service2.asmx
• \sitecore\shell\WebService\Sitecore.Rocks.Validation.ashx
• \sitecore\shell\WebService\Web.config
• \sitecore\shell\WebService\Browse.aspx
• \bin\Sitecore.Rocks.Server.dll

Development environments

For Local Development Environments

1. Install the latest Sitecore Rocks extension (v2.1.149 or higher):
   
   • Via Visual Studio, in the Tools > Extensions and Updates menu.
   • Or by manually downloading from the Visual Studio Marketplace.
2. On each of your Rocks connections, select Connections > Update Server Components, then Update All.

For Remote Dev/Test Environments

1. Download the latest Sitecore.Rocks.Server.update package from the Sitecore Rocks releases page on GitHub (v2.1.149 or higher).
2. Install the update package using the Update Installation Wizard.

Acknowledgement

Sitecore would like to give credit to Kamil Kubacka of ISEC.pl Research Team for the discovery of this vulnerability. 

History of updates

• 20-May-2019: updated the Rocks version containing the fix.
• 11-Sep-2019: a link to Security Bulletins RSS Feed was added.
• 22-Jun-2021: updated "SXP Found In" from 9.0 to 6.2 (Sitecore Rocks supports all versions of Sitecore since Sitecore CMS 6.2 through the Hard Rock Web Service).
• 01-Jul-2021: changed a broken link in "Security Bulletins RSS Feed" to KB1000489, made minor changes in styling.
• 27-Aug-2021: removed "Update Center" from Solution for Development Remote Dev/Test Environments.