Vulnerability in EPiServer.GoogleAnalytics v3 and v4

Introduction

A potential security vulnerability was detected for Optimizely Google Analytics addon (including EPiServer.GoogleAnalytics and EPiServer.GoogleAnalytics.Commerce), with list of affected versions below. Optimizely websites based on CMS 12 and/or Customized Commerce 14 using the affected packages are affected by this vulnerability that might give an attacker access sensitive data in the application.

Risk

Overall, the risk of the vulnerability is high. The issue was fixed in EPiServer.GoogleAnalytics v4.2.0 (GA-471). Mitigation is in place for all DXP service customers.

Update (September 20): we've re-evaluated the situation and decided to inform that, the risk of this vulnerability is critical!

Affected versions

The versions below of EPiServer.GoogleAnalytics and EPiServer.GoogleAnalytics.Commerce are affected by this vulnerability:

• 3.0.0 (.netcore version to support CMS12)
• 3.0.1
• 4.0.0 (added support for GA4 which replaced the GA UA used in previous versions of EPiServer.GoogleAnalytics) 
• 4.0.1
• 4.1.0

Remediation

• If using affted version of EPiServer.GoogleAnalytics in the list above, please update the to the version 4.2.0 or later.
• Updated (September 22): The fix has been also backported to a v3 version (the version 3.0.2). If you are using an affected v3 version in the list above, and don't want to upgrade to the v4.2.0 version (or later)  then you can either update the version to 3.0.2 or simply uninstall the addon completely.

Please reach out to our support for further guidance by email to support@optimizely.com or submit a request at https://support.optimizely.com/hc/en-us.

Questions

Please contact the security engineering team at securityeng@optimizely.com.

Risk definitions

Low – little to no potential impact on Optimizely or customer environments/data. Vulnerability has low exploitability, for example: requirement for local or physical system access, zero reachability to/executability within Optimizely products/code.

Medium – some potential impact on Optimizely or customer environments/data. Vulnerability has medium exploitability, for example: requirement to be located on the same local network as the target, requirement for an individual to be manipulated via social engineering, requirement for user privileges, vulnerability achieves limited access to Optimizely products/code.

High – high potential impact on Optimizely or customer environments/data.  Vulnerability has high exploitability, for example:  achieves high level access to Optimizely products/code, could elevate privileges, could result in a significant data loss or downtime.

Critical – very significant potential impact on Optimizely or customer environments/data.  Vulnerability has very high exploitability, for example: achieves admin/root-level access to Optimizely products/code.  Vulnerability does not require any special authentication credentials/knowledge of Optimizely products/environments.