The information on the latest update

Description

This article describes a solution for a Medium vulnerability (SC2019-004-359228) reported by Microsoft in Microsoft Security Advisory CVE-2018-8269: Denial of Service Vulnerability in OData.

The Microsoft.Data.OData.dll assembly (version < 5.8.4) that is affected by this vulnerability is included in Sitecore Commerce Engine release packages. For example, the Sitecore.Commerce.Engine.OnPrem.Solr.4.0.165.scwdp.zip archive, included in Sitecore Experience Commerce 9.2 release package, contains the affected assembly.

We encourage Sitecore customers and partners to familiarize themselves with the information that follows and apply the fix to all affected Sitecore systems.

If you would like to receive notifications about new Security Bulletins on the Sitecore Knowledge Base, subscribe to security updates: KB1000489.

Severity Definitions

To help customers and partners understand the severity of potential security vulnerabilities, Sitecore uses definitions from Severity Definitions for Security Vulnerabilities to report security issues.

Versions

Vulnerability SC2019-004-359228 affects the following versions of Sitecore Experience Commerce:

• Sitecore Commerce 8.2.1.x
• SitecoreExperienceCommerce 9.0.x
• SitecoreExperienceCommerce 9.1.x
• SitecoreExperienceCommerce 9.2.x

Solution

To resolve the vulnerability in your affected Sitecore Experience Commerce deployment, you must replace the following dynamic link libraries (DLL) with a version equal to or greater than 5.8.4:

• Microsoft.Data.OData.dll
• Microsoft.Data.Edm.dll
• System.Spatial.dll

There are two ways to replace the affected DLLs:

• You can download the DLLs and add them manually.

or

• You can modify the Sitecore.Commerce.Engine.csproj file in Sitecore Commerce Engine SDK to include a reference to the updated version of the Microsoft.Data.OData library:
  
  1. In the Sitecore Commerce Engine SDK, open the Sitecore.Commerce.Engine.csproj file.
  2. In the Sitecore.Commerce.Engine.csproj file, at the top of the reference list, add the following reference:<PackageReference Include="Microsoft.Data.OData" Version="5.8.4" />
  3. Use Nuget Package Manager to add the Microsoft.Data.Odata reference.
  4. Recompile and deploy the Sitecore Commerce Engine.

History of updates

• 21-Oct-2019: changed the severity from Critical to Medium as per our actual classification of this issue
• 18-Mar-2021: updated Affected SW, "Applies To" and "Fixed In".
• 01-Jul-2021: added the section "History of updates",  changed a broken link in "Security Bulletins RSS Feed" to KB1000489, made minor changes in styling.