Security Bulletin SC2019-003-329876

  • This article describes a solution for a Critical vulnerability (SC2019-003-329876) in an open source plugin, named Sitecore Rocks, which is commonly used in Sitecore development environments.

    Critical vulnerability SC2019-003-329876 allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

    We encourage Sitecore customers and partners who are using Sitecore Rocks plugin to familiarize themselves with the information below and apply the fix to affected Sitecore systems.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • Versions affected
    Vulnerability SC2019-003-329876 affects all Sitecore environments where Sitecore Rocks Hard Rock Service is installed.

    Versions not affected
    Vulnerability SC2019-003-329876 does not affect Sitecore environments where Sitecore Rocks Hard Rock Service is not installed.

    For more information about Sitecore Rocks plugin, please visit the following page:

  • Production environments

    As per article Using Sitecore Rocks on Sitecore XP 9.0 and later, it is not recommended to install the Hard Rock service or enable anonymous access to the Good Old service on Sitecore production environments. If Sitecore Rocks Hard Rock Service is installed on production environment, it is recommended to uninstall it by removing the following files:

    • \sitecore\shell\WebService\Service2.asmx
    • \sitecore\shell\WebService\Sitecore.Rocks.Validation.ashx
    • \sitecore\shell\WebService\Web.config
    • \sitecore\shell\WebService\Browse.aspx
    • \bin\Sitecore.Rocks.Server.dll

    Development environments

    For Local Development Environments

    1. Install the latest Sitecore Rocks extension (v2.1.149 or higher):
      • Via Visual Studio, in the Tools > Extensions and Updates menu.
      • Or by manually downloading from the Visual Studio Marketplace.
    2. On each of your Rocks connections, select Connections > Update Server Components, then Update All.

    For Remote Dev/Test Environments

    1. Download the latest Sitecore.Rocks.Server.update package from the Sitecore Rocks releases page on GitHub (v2.1.149 or higher).
    2. Install the update package using the Update Center or Update Installation Wizard.
  • Sitecore would like to give credit to Kamil Kubacka of Research Team for the discovery of this vulnerability. 

    • 11-Sep-19: a link to Security Bulletins RSS Feed was added.

Applies to:

Sitecore Rocks 1 - 2.1.130

May 21, 2019
September 11, 2019

Reference number: