Security Bulletin SC2019-003-329876

This article describes a solution for a Critical vulnerability (SC2019-003-329876) in an open source plugin, named Sitecore Rocks, which is commonly used in Sitecore development environments.

Critical vulnerability SC2019-003-329876 allows an unauthenticated threat actor to inject malicious commands and code, thus compromising the security controls.

We encourage Sitecore customers and partners who are using Sitecore Rocks plugin to familiarize themselves with the information below and apply the fix to affected Sitecore systems.

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.

Versions affected
Vulnerability SC2019-003-329876 affects all Sitecore environments where Sitecore Rocks Hard Rock Service is installed.

Versions not affected
Vulnerability SC2019-003-329876 does not affect Sitecore environments where Sitecore Rocks Hard Rock Service is not installed.

For more information about Sitecore Rocks plugin, please visit the following page: https://github.com/Sitecore/Sitecore.Rocks

Production environments

As per article Using Sitecore Rocks on Sitecore XP 9.0 and later, it is not recommended to install the Hard Rock service or enable anonymous access to the Good Old service on Sitecore production environments. If Sitecore Rocks Hard Rock Service is installed on production environment, it is recommended to uninstall it by removing the following files:

\sitecore\shell\WebService\Service2.asmx
\sitecore\shell\WebService\Sitecore.Rocks.Validation.ashx
\sitecore\shell\WebService\Web.config
\sitecore\shell\WebService\Browse.aspx
\bin\Sitecore.Rocks.Server.dll

Development environments

For Local Development Environments

Install the latest Sitecore Rocks extension (v2.1.149 or higher):

Via Visual Studio, in the Tools > Extensions and Updates menu.
Or by manually downloading from the Visual Studio Marketplace.

On each of your Rocks connections, select Connections > Update Server Components, then Update All.

For Remote Dev/Test Environments

Download the latest Sitecore.Rocks.Server.update package from the Sitecore Rocks releases page on GitHub (v2.1.149 or higher).
Install the update package using the Update Center or Update Installation Wizard.

Sitecore would like to give credit to Kamil Kubacka of ISEC.pl Research Team for the discovery of this vulnerability.

Description

Severity Definitions

Versions

Solution

Acknowledgement