Alex Nassi

Marketo Connector Version 3.1.0 Released!

Discussion created by Alex Nassi Employee on Aug 27, 2015

We have officially released version 3.1.0 of the Marketo Connector. The reason for this patch is that SugarCRM recently detected a security vulnerability that has since been carefully investigated and addressed. As always, we take data security and the protection of your private information very seriously at SugarCRM. We have taken action to minimize potential risks.

Following our investigations, we have no reason to believe that the vulnerabilities were exploited. However, we recommend that you take the immediate steps below to ensure that your data stays protected:

Version 7.x
Please visit Sugar Exchange to download the latest version of the Marketo integration, 3.1.0, which addresses this vulnerability. Before installing the integration, you will need to execute steps 6 – 9 of the ‘Adding Webhooks’ section of our Marketo Installation Guide. Once that is completed, you can install the updated Marketo integration by logging into Sugar as an admin user and navigating to Admin > Module Loader.

Version 6.x
The Marketo integration published on Sugar Exchange is not compatible with Sugar 6.x so no further action is necessary.

The recommended method for patching this vulnerability is to use the updated integration package. However, if updating the Marketo integration is not possible for any reason, you can utilize one of the two following workarounds to protect the instance from the vulnerability:

A. When no webhooks are configured on the Marketo side:

  1. Remove the file sugarcrm/Ext/EntryPointRegistry/MarketoWebHookConsumer.php
  2. Login as a Sugar administrator, go to Admin > Repair and execute "Quick Repair and Rebuild"
  3. The webhook entrypoint is no longer available. When the fixed version is installed this entrypoint will become available without any specific intervention.

B. When webhooks are configured on the Marketo side:

  1. An IP access list can be deployed to limit access to the webhook consumer to the Marketo IP ranges only
  2. This can be achieved by adding the following to the top of .htaccess file which can be found in the root directory of your sugarcrm installation (above the line # BEGIN SUGARCRM RESTRICTIONS):
SetEnvIfNoCase Remote_Addr "^199\.15\.212\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^199\.15\.213\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^199\.15\.214\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^199\.15\.215\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^103\.237\.104\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^103\.237\.105\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^192\.28\.144\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^192\.28\.145\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^192\.28\.146\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^192\.28\.147\." MARKETO=1
SetEnvIfNoCase Remote_Addr "^191\.28\.(160\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|((1(6[1-9]|[7-8][0-9]|90))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))|191\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4])))$" MARKETO=1

    RewriteEngine On
    RewriteCond %{QUERY_STRING} entryPoint=market
    RewriteCond %{ENV:MARKETO} ^$
    RewriteRule ^(.*)$ - [F,L]

This release addresses bugs identified in prior releases. Information on fixed bugs can be found in our release notes.

 

More information on Marketo Connector 3.1.0, including supported platforms, user guide, and the installation guide can be found on the Installable Connectors page.

 

If you want to ensure you are up-to-date on all our latest releases, please click the 'Follow' button under our 'Releases' category in the community!

Outcomes