Security Bulletin SC2019-003-329876

  • Description

    This article describes a solution for a Critical vulnerability (SC2019-003-329876) in an open source plugin, named Sitecore Rocks, which is commonly used in Sitecore development environments.

    Critical vulnerability SC2019-003-329876 allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

    We encourage Sitecore customers and partners who are using Sitecore Rocks plugin to familiarize themselves with the information below and apply the fix to affected Sitecore systems.

  • Severity Definitions

  • Versions affected
    Vulnerability SC2019-003-329876 affects all Sitecore environments where Sitecore Rocks Hard Rock Service is installed.

    Versions not affected
    Vulnerability SC2019-003-329876 does not affect Sitecore environments where Sitecore Rocks Hard Rock Service is not installed.

    For more information about Sitecore Rocks plugin, please visit the following page: https://github.com/Sitecore/Sitecore.Rocks

  • Production environments

    As per article Using Sitecore Rocks on Sitecore XP 9.0 and later, it is not recommended to install the Hard Rock service or enable anonymous access to the Good Old service on Sitecore production environments. If Sitecore Rocks Hard Rock Service is installed on production environment, it is recommended to uninstall it by removing the following files:

    • \sitecore\shell\WebService\Service2.asmx
    • \sitecore\shell\WebService\Sitecore.Rocks.Validation.ashx
    • \sitecore\shell\WebService\Web.config
    • \sitecore\shell\WebService\Browse.aspx
    • \bin\Sitecore.Rocks.Server.dll

    Development environments

    For Local Development Environments

    1. Install the latest Sitecore Rocks extension (v2.1.149 or higher):
      • Via Visual Studio, in the Tools > Extensions and Updates menu.
      • Or by manually downloading from the Visual Studio Marketplace.
    2. On each of your Rocks connections, select Connections > Update Server Components, then Update All.

    For Remote Dev/Test Environments

    1. Download the latest Sitecore.Rocks.Server.update package from the Sitecore Rocks releases page on GitHub (v2.1.149 or higher).
    2. Install the update package using the Update Center or Update Installation Wizard.
  • Acknowledgement

    Sitecore would like to give credit to Kamil Kubacka of ISEC.pl Research Team for the discovery of this vulnerability. 

Applies to:

Sitecore Rocks 1 - 2.1.130

May 21, 2019
May 29, 2019

Reference number:

329876