Security Bulletin SC2019-004-359228

  • This article describes a solution for a Medium vulnerability (SC2019-004-359228) reported by Microsoft in Microsoft Security Advisory CVE-2018-8269: Denial of Service Vulnerability in OData.

    The Microsoft.Data.OData.dll assembly (version < 5.8.4) that is affected by this vulnerability is included in Sitecore Commerce Engine release packages. For example, the Sitecore.Commerce.Engine.OnPrem.Solr.4.0.165.scwdp.zip archive, included in Sitecore Experience Commerce 9.2 release package, contains the affected assembly.

    We encourage Sitecore customers and partners to familiarize themselves with the information that follows and apply the fix to all affected Sitecore systems.

    If you would like to receive notifications about new Security Bulletins, please subscribe to the Security Bulletins RSS Feed.

  • Vulnerability SC2019-004-359228 affects the following versions of Sitecore Experience Commerce:

    • Sitecore Commerce 8.2.1.x
    • SitecoreExperienceCommerce 9.0.x
    • SitecoreExperienceCommerce 9.1.x
    • SitecoreExperienceCommerce 9.2.x
  • To resolve the vulnerability in your affected Sitecore Experience Commerce deployment, you must replace the following dynamic link libraries (DLL) with a version equal to or greater than 5.8.4:

    • Microsoft.Data.OData.dll
    • Microsoft.Data.Edm.dll
    • System.Spatial.dll

    There are two ways to replace the affected DLLs:

    or

    • You can modify the Sitecore.Commerce.Engine.csproj file in Sitecore Commerce Engine SDK to include a reference to the updated version of the Microsoft.Data.OData library:
      1. In the Sitecore Commerce Engine SDK, open the Sitecore.Commerce.Engine.csproj file.
      2. In the Sitecore.Commerce.Engine.csproj file, at the top of the reference list, add the following reference:<PackageReference Include="Microsoft.Data.OData" Version="5.8.4" />
      3. Use Nuget Package Manager to add the Microsoft.Data.Odata reference.
      4. Recompile and deploy the Sitecore Commerce Engine.

Applies to:

Sitecore Commerce 8.2.1+

October 23, 2019
October 23, 2019

Reference number:

359228