Flow Bugfix Releases for Entity Security

We've been doing bugfix releases for improving Entity Security and custom SQL filters. Read on for details.

– Written by

Component Type: Flow
Vulnerability Type: Information disclosure
Severity: Medium
Affected Versions: All Flow versions above 3.0.0 and before 3.0.12, 3.1.10, 3.2.13, 3.3.13, or 4.0.6
Release Date: April 12th, 2017
Suggested CVSS: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/RL:O/RC:C 
CVE: n/a

If you had used entity security and wanted to secure entities not just based on the user's role, but on some property of the user (like the company he belongs to), entity security did not work properly together with the doctrine query cache. This could lead to other users re-using SQL queries from the cache which were built for other users; and thus users could see entities which were not destined for them.

Am I affected?

  • Do you use Entity Security? if no, you are not affected.
  • You disabled the Doctrine Cache (Flow_Persistence_Doctrine)? If this is the case, you are not affected.
  • You use Entity Security in custom Flow or Neos applications. Read on.
    • If you only used Entity Security based on roles (i.e. role A was allowed to see entities, but role B was denied): In this case, you are not affected.
    • If you did more advanced stuff using Entity Security (like checking that a customer only sees his own orders; or a hotel only sees its own bookings), you very likely needed to register a custom global object in Neos.Flow.aop.globalObjects. In this case, you are affected by the issue; and need to implement the CacheAwareInterface in your global object for proper caching.

All Flow versions (starting in version 3.0, where Entity Security was introduced) were affected.

Fixing the Issue

To fix the issue, you need to do two things:

  1. Update to Flow 3.0.12, 3.1.10, 3.2.13, 3.3.13, or 4.0.6.
  2. Make your global objects (which you use for retrieving global properties in Entity Security) implement CacheAwareInterface, as described in the documentation.

Custom SQL filters

If you developed custom SQL filters, be aware you are not allowed to call setParameter() inside addFilterConstraint(), but rather you need to set the parameters outside of the filter itself for query caching to work properly. This has been clarified in the documentation now.

Getting Help

In case you are unsure about the issue, don't hesitate to contact the Neos team on Slack (#flow-general) or through the other communication channels!