Shopware update fixes RCE bug that affects both shop and target system

Shopware, an open-source e-commerce software chosen by a number of big European companies to power their online shops, has recently pushed out a critical security update.

The update fixes a remote code execution bug that could allow attackers to read files on the target system, create new ones with malicious content, and run arbitrary code on the target system.

“This is a critical security vulnerability that not only affect the functions of the shop, but it can also have an impact on the overall system,” Shopware developers pointed out.

“The vulnerability affects all Shopware versions 4.0.0 up to 5.1.4. Currently no cases are known in which the vulnerability has been actively exploited, but we strongly recommend to upgrade to the current version (5.1.5 or 4.3.7) of Shopware.”

Interestingly enough, exploitation of the bug can be averted if one uses the license plugin version 1.1.2, so technically updating to the latest version of the software is not strictly required to protect one’s shop and system.

The Shopware online shop system software is developed in Germany, and is available both as open source software, as well as a commercial edition.

This particular vulnerability has been unearthed by security engineer David Vieira-Kurz of Immobilien Scout GmbH. He shared proof of concept exploit code with the Shopware developers, but chose not to publish it quite yet.

Since the code for the hotfix is available on GitHub, chances are it may provide enough information for attackers to create their own exploit code, so if you use Shopware for your online shop, and haven’t updated it yet, do so as soon as possible.