Closed Bug 1623998 Opened 6 years ago Closed 6 years ago

Upgrade Wordpress Auth0 plugin [embargo until 2020-03-26]

Categories

(Enterprise Information Security Graveyard :: Incident, task)

Product:
Enterprise Information Security Graveyard
Component:
Incident
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Assigned: fauweh)

Details

Attachments

(1 file)

WordPress.Plugin.4.zip
539.72 KB, application/zip
Details
Attached file WordPress.Plugin.4.zip

[embargo until 2020-03-26]

Researchers have reported to Auth0's bug bounty program vulnerabilities in it's Wordpress Login plugin.

Mozilla uses this plugin in various Wordpress sites that we host (via wpengine).

Auth0 has provided us with an upgraded plugin (rewritten from scratch) that mitigates the vulnerabilities that will be announced on March 26th.

Data Classification of this information

Now that this upgrade is public and the CVEs related to the old version are public, the data in this ticket is now classified as public (previously Mozilla Confidential - Specific Individuals Only )

Action Requested

Please deploy the attached plugin in all of our Wordpress sites before March 26th to mitigate these vulnerabilities.

Instructions on Upgrading the Plugin

While manually upgrading the plugin, your users may experience issues logging in. That's why we advise setting your WordPress site into maintenance mode while you execute the following steps.

  • Access your WordPress site files using sFTP or SSH.
  • Create a new directory named auth0-v4 under wp-content/plugins/ and copy the content of your local login-by-auth0-4.0.0-beta folder into this new auth0-v4 directory.
  • For backup purposes, rename the existing plugin directory named auth0 to auth0-v3. Please note that doing this will stop logins from working until you perform the next step.
  • Rename the auth0-v4 directory to auth0. By doing this you are activating Login by Auth0 plugin v4.0.0-beta.
  • Sign in to your WordPress site administration panel. Go to the Plugins > Installed Plugins and verify that the plugin you upgraded is at the newest version i.e. 4.0.0-beta. If something is not working as expected, you can revert to earlier plugin version by switching plugin directory names back and review if you missed any other changes required from our migration guide included in the WordPress.Plugin.4.zip file.

Ideally, the sites that need to be upgraded and the status of those upgrades would be tracked in this bug.

:fauweh and I met Friday morning and covered this. He'd said that he, :craigcook and :stefancosten would work on this in advance of Thursday when these vulnerabilities are made public.

Assignee: gene → kferrando

:fauweh would it make sense for you to add to this ticket, of the three of you, who's responsible for upgrading which sites?

Flags: needinfo?(kferrando)

(In reply to Gene Wood [:gene] from comment #2)

:fauweh would it make sense for you to add to this ticket, of the three of you, who's responsible for upgrading which sites?

Yep, absolutely.

Stefan is responsible for the sites under the community install, and I'll do the upgrade on the other site (the newer community portal install), Craig will just be needed for consultation if I hit any snags.

Also I forgot to mention I will need to notify Ruben Martin (:Nukeador) and/or Lucy Harris (:lucyeoh) as they are the owners of the community portal.

Jabba had some a couple of other callback URLs listed for WPEngine that I need to see if they are actually used by this auth0 plugin as well (a test and dev domain)

Flags: needinfo?(kferrando)

Also I forgot to mention I will need to notify Ruben Martin (:Nukeador) and/or Lucy Harris (:lucyeoh) as they are the owners of the community portal.

Sure, shall I CC either or both of them on this?

(In reply to Gene Wood [:gene] from comment #4)

Also I forgot to mention I will need to notify Ruben Martin (:Nukeador) and/or Lucy Harris (:lucyeoh) as they are the owners of the community portal.

Sure, shall I CC either or both of them on this?

Yes, that would be great.

I've alerted Community Portal developers to make sure we fix this asap. I'll report back once this is done.

:nukeador do please record in this ticket who you're sharing the information with and ensure we limit it so as to not brake the embargo and ensure that those users are NDAd and follow the same rules the we are following. See all the notes above in the ticket about the data classification of the information.

Flags: needinfo?(nukeador)

:nukeador I'm very concerned that you may have just leaked this confidential information outside Mozilla and that those you've shared it with do not understand the rules that govern their use of the information. Can you ping me on slack as soon as you get this?

Hi Gene,

Sorry, due the urgency on this request, I shared this yesterday as soon as I got the notification with our developers in order to be able to fix it ASAP. The vendor (Playground) has a legal contract with us (including our standard confidentiality clauses) and they have been told about this information to be confidential.

The fix is already live on https://community.mozilla.org

Flags: needinfo?(nukeador)

:Nukeador, ok cool, thank you for taking care of it so quickly and for ensuring that the vendor understands the confidentiality of the information, I appreciate it.

:Costenslayer, can you confirm that things are on track to have this fix deployed to sites under the community install before close of business tomorrow Wednesday?

Flags: needinfo?(stefancosten)

:fauweh can you also weigh on where you're at with the updates for the sites you control (as these vulnerabilities get published tomorrow)

Flags: needinfo?(kferrando)

(In reply to Gene Wood [:gene] from comment #11)

:fauweh can you also weigh on where you're at with the updates for the sites you control (as these vulnerabilities get published tomorrow)

I think we're good now Gene!

MCWS Prod - Disabled (We haven't been able to get the new plugin to work.)
MCWS Stage - Upgraded
Community Portal - Upgraded (aka mdmozdev)
Mozilla Dev - Disabled (used for testing only)

Jabba had a listing for testmozauth0.wpengine.com, this site/install appears to have been removed at some point in the past, no longer in scope.

Flags: needinfo?(kferrando)

Great, thanks for taking care of this.

Group: webtools-security
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(stefancosten)
Resolution: --- → FIXED
Product: Security Assurance → Enterprise Information Security Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: