Magento 2.0.16 and 2.1.9 Security Update

Released by Magento on September 14h, 2017, Magento Commerce and Open Source 2.0.16 and 2.1.9 are the latest security enhancements for both Commerce and Open Source platforms. This update contains over 40 security repairs and enhancements to help prevent the following issues from occurring:

  • Remote Code Execution (RCE): Remote code execution is a dangerous threat to your systems functioning, as it bears a severity score of 8.2. The detected vulnerability in previous versions of Magento Open Source and Magento Commerce increased the risk of an RCE attack by allowing a Magento administrator with insufficient privileges the chance to inject harmful code while building a CMS Page.
  • Information Leak (system): With a severity score of 7.8, the potential for an information leak presents a high risk for your Magento platform. The problem detected in previous versions of Magento Open Source and Magento Commerce increases the exposure of an information leak by allowing a Magento administrator with restricted privileges the ability to use a weakness within the “theme creation” capacity to both delete and/or reveal ordered data and file system of a Magento platform, which can place the foundation of a Magento market in grave danger.
  • Abuse of Functionality: Scoring a 6.8 on the severity scale, an abuse of functionality is a threat that can result in the loss of important files, data, and information stored in your Magento system. The vulnerability seen in previous editions of Magento Open Source and Magento Commerce can heighten the risk of abuse occurring due to a vulnerability that permits an admin user with insufficient control to utilize the “delete files” option and proceed to upload and delete random portions of your data and files.
  • Invalidated Redirection: Having a severity score of 5.9, an invalidated redirection presents a medium level risk to your Magento system. The issue within older editions of Magento Open Source and Magento Commerce allows a hacker to place a URL to a Magento website, which can then redirect users to another website with malicious content to steal user files, data, passwords, or other sensitive information.
  • Insufficient session expiration: With a severity rate of 5.8, an insufficient session expiration has the potential to allow hackers access to Magento users personal data and information. Problems seen in previous editions disable Magento from properly setting parallel sessions to terminate on their own, which can result in a customer presuming that their sessions will expire concluding a successful logout. This increases the chances that an intruder could infiltrate a customer’s account via a previously unexpired session.

Even though there were no reported offenses associated with the susceptibilities fixed by the Magento 2.0.16 and 2.1.9 Security Update at this time, specific susceptibilities run the risk of hackers infiltrating the system and obtaining customer information or controlling administrator sessions. Therefore, Forix suggests that all Magento users upgrade their current software in order to secure the benefits and ensure the safety of their system.

In addition to the aforementioned security reforms, the Magento 2.0.16 and 2.1.9 Security Update also include improvements in system functioning, including

  • Assistance with the alternation to the USPS API, which was completed by USPS on September 1, 2017. In the previous editions of Magento Open Source and Commerce, USPS first-class mail was not among the choices. After the installation of this upgrade, Magento will accurately present the domestic price for First-Class Mail and USPS for users.
  • Information Accumulation: With this upgrade, Magento will now take account of all deviation data in the exception.log file if a check-out payment was unsuccessful. In previous versions of Magento Open Source and Commerce, Magento did not log deviation information in the exception.log when a check-out payment was unsuccessful, which impaired all troubleshooting efforts.

Get Magento 2.0.16 and 2.1.9 Security Update Installed Today

The specialists at Forix have had comprehensive practice with Magento security updates like Magento 2.0.16 and 2.1.9 and can provide the support needed to ensure your installation process is successful and stress-free.