September 12, 2017
During the investigation of a customer report, Fastly became aware of and addressed a security vulnerability (CVE-2017-13761) in the Fastly CDN module intended to be integrated into Magento2. This is open source code which Fastly releases to enable easy integration with our partner’s products. All versions prior to 1.2.26 are affected and customers are encouraged to upgrade.
Fastly has reached out directly to customers currently using affected versions of the module.
This vulnerability, present in all versions of the module prior to version 1.2.26, caused redirect responses to be cached for a few seconds. A session leak could occur in certain cases when using a third-party authentication plugin, such as OAuth, which relies on redirects instead of POST requests. As a result, the vulnerability could lead to information from one authenticated session leaking to another authenticated user.
This vulnerability was addressed in version 1.2.26 of the Fastly CDN module. Customers who have downloaded and deployed any older version of the module are encouraged to upgrade to version 1.2.26 or later. The latest, and recommended, version available is 1.2.28.
You can run the following command to determine if your site is affected:
$ curl -H “Fastly-Debug:1” -v -o /dev/null https://www.example.com/ | grep Fastly-Magento-VCL < Fastly-Magento-VCL-Uploaded: 1.2.20
This vulnerability has been assigned CVE identifier CVE-2017-13761.
This issue was addressed in the fastly-magento2 code repository, and the latest version is available at https://github.com/fastly/fastly-magento2/releases.