You appear to be offline. Some site functionality may not work.
Sign Up

Security advisories

Vulnerability in Fastly open source CDN module intended to be integrated into Magento2

September 12, 2017

Summary

During the investigation of a customer report, Fastly became aware of and addressed a security vulnerability (CVE-2017-13761) in the Fastly CDN module intended to be integrated into Magento2. This is open source code which Fastly releases to enable easy integration with our partner’s products. All versions prior to 1.2.26 are affected and customers are encouraged to upgrade.

Fastly has reached out directly to customers currently using affected versions of the module.

Impact

This vulnerability, present in all versions of the module prior to version 1.2.26, caused redirect responses to be cached for a few seconds. A session leak could occur in certain cases when using a third-party authentication plugin, such as OAuth, which relies on redirects instead of POST requests. As a result, the vulnerability could lead to information from one authenticated session leaking to another authenticated user.

Fix / Workarounds

This vulnerability was addressed in version 1.2.26 of the Fastly CDN module. Customers who have downloaded and deployed any older version of the module are encouraged to upgrade to version 1.2.26 or later. The latest, and recommended, version available is 1.2.28.

You can run the following command to determine if your site is affected:

$ curl -H “Fastly-Debug:1” -v -o /dev/null https://www.example.com/ | grep Fastly-Magento-VCL
 
< Fastly-Magento-VCL-Uploaded: 1.2.20

More information

This vulnerability has been assigned CVE identifier CVE-2017-13761.

This issue was addressed in the fastly-magento2 code repository, and the latest version is available at https://github.com/fastly/fastly-magento2/releases.

Thanks for subscribing.