Magento Security Patch SUPEE-6788 Address Zend Framework Vulnerability Update

The Magento Security Patch SUPEE-6788 Zend Framework Vulnerability Update was released on October 31, 2015 to repair vulnerabilities in Zend revealed by recent attacks. This patch is also included in the latest Magento Commerce and Open Source editions. Forix recommends vendors install this update today to remove vulnerabilities in the Zend Framework. Learn more about what security issues were repaired and how Forix can help with installation.

Benefits of Magento Security Patch SUPEE-6788 Zend Framework Vulnerability Update

This Security Patch SUPEE-6788 Zend Framework Vulnerability Update focused on repairing security issues exposed in the Zend Framework, specifically exploitation via XML requests. By installing the patch, vendors protect their encrypted data from possible exposure.

Release Information

Magento Security Patch SUPEE-6788 Zend Framework Vulnerability Update is a stand-alone security patch. Customers can also upgrade to more recent versions of Magento products that include the patch. This update protects against a security risk in the Zend framework wherein attackers using specially designed requests could gain access to system files in multiple server configurations.

Forix encourages vendors to always use best practices regarding the security of their sites. They also recommend vendors keep their site updated and to watch for new patches.

Installation

Forix recommends various customers use the following options to download the patch update.

  • Partners
    Partners need to navigate to the Partner Portal, choose Technical Resources, then select Download from the Commerce panel. Next, partners should go to Magento Commerce Edition > Patches and Support to find the “Security Patches – October 2015” folder.
  • Magento Commerce Edition Vendors
    Commerce Edition vendors must access My Account and click the Downloads tab. There, they will find Magento Commerce Edition > Support patches. Search for the “Security Patches – October 2015” folder to get the latest patch. Upgrading to the most recent Commerce Edition version includes this security patch.
  • Magento Open Source Edition Vendors
    Open Source Edition vendors can search for patches for previous versions of Magento Open Source Edition on the download page (search for SUPEE-6788). More recent Open Source Edition versions include this security patch.

Issue Addressed

The specific risk addressed by Magento Security Patch SUPEE-6788 Zend Framework Vulnerability Update focuses on unauthorized remote exploitation. Applications running Zend_XmlRpc_Server with a public XML-RPC endpoint could be exploited by custom requests sent by users. Authentication is not required to exploit XML-RPC because XML must be processed for the application to access credentials provided in the login data given in xml-formatted input.

Systems affected by the XXE injection risk all run Zend Framework versions 1.12.4 and 2.1.6 up to the most recent versions in 1.12.13 and 2.4.2. The exploit can be used in applications where PHP code is served using PHP-FPM and when an XML parser is set to resolve entities.

Install the Magento Security Patch SUPEE-6788 Zend Framework Vulnerability Update Today

Forix recommends all merchants upgrade to Magento products’ latest versions or install the Magento Security Patch SUPEE-6788 Zend Framework Vulnerability update today. By installing or upgrading, you protect your site from this unique attack. To help protect customers, Forix can help with installing the updates/upgrades and guarantees a trouble-free installation process. Protect your storefront today!

Resources:
https://magento.com/security/patches/supee-6788-%E2%80%93-addresses-vulnerability-zend-framework