Magento Security Patches
Security Updates and News
- Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update
- Magento 2.0.6 Security Update
- Magento 2.0.4 Security Update
- Magento 2.0.16 and 2.1.9 Security Update
- Magento 2.0.14 and 2.1.7 Security Update
- Magento Security Update 2.0.10 and 2.1.2
- SUPEE-6788 Address Zend Framework Vulnerability Update
- Magento Security Patch 2.0.1 Update
- SUPEE-6788 Technical Details
Magento Security Patch SUPEE-9652
Released on February 6, 2017, SUPEE-9652 is the latest security patch update for both the Enterprise Edition 188.8.131.52 and the Community Edition 184.108.40.206 platforms. Above all, this upgrade addresses the extremely critical concern regarding the Zend library susceptibility, which is a form of attack known as a remote code execution (RCE). In addition to this serious vulnerability, SUPEE-9652 addresses a multitude of security related issues and offers a selection of functional improvements to ensure the well-being of your platform. Review the following list for a better understanding of the range of issues detected in earlier editions of the Magento platforms and to learn about the variety of issues that your Magento store may be subjected to without the installation of SUPEE-9652.
- Zend Framework Email Issue. A significant problem has been detected in a Zend Framework 1 and 2 email configurations, which is incorporated in all Magento 1 and Magento 2 software systems. To protect your site from the risks associated with this problem, users should promptly review your email sending configurations by going to “system settings” utilized to manage the “reply to” address for emails transmitted from your Magento store. In Magento 1, email configuration settings are accessible by clicking through the following options system, configuration, advanced, system, mailbox, sending settings, set return paths. In Magento 2, these settings are accessible by clicking the following options: stores, configuration, advanced, system, mail, sending settings, set return path. When your “Set Return Path” is affirmed and your server operates with Send mail, then your Magento store is at risk for this issue. In order to protect your server from this issue, Magento advises users to switch off their “Set-Return-Path” setting by changing it from YES to NO.
- Remote Code Execution (RCE). With a severity rating of 9.8, remote code execution using mail vulnerability can cause major damage to your Magento store. Known as the Zend Framework Vulnerability, issues found with earlier editions of Magento software allowed the exploitation and administration of code in Magento 1. However, the issue is not found in Magento 2 and the library coding was identical and repaired accordingly.
Important Note: Though this issue level is regarded as supremely critical, the reality is that only a small number of systems were affected or damaged by the Zend Framework Vulnerability. To be afflicted by this issue, an installation must have:
- Utilized send mail as the transfer agent for mailing
- Contain certain configurations seen the under the bullet point “Zend framework email issue”
- Improper Input Validation. Having a security rating of 7.5, improper input validation poses another high risk to a Magento system. Issues discovered in earlier Magento editions made it possible to change the price of a product by taking advantage of the accessibility parameters and changing their settings, allowing users to finish the checkout process with an adjusted price of their choosing.
As you can see, installing SUPEE-9652 can help ensure the safety and security of your Magento store and your users. Forix strongly advises that all Magento users download and implement the latest security patch to obtain the necessary security features, as well as operational promotions, to assure the safety and enhanced functioning of all Magento platforms.
Patches are readily available for owners of the following Magento versions. Review the following options in order to discover what is the correct selection for you and your system.
- For the owners of Enterprise Edition 220.127.116.11-18.104.22.168, either install and enable SUPEE-9652 or upgrade to Enterprise Edition 22.214.171.124
- For the owners of Community Edition 126.96.36.199-188.8.131.52, either install and enable SUPEE-9652 or upgrade to Community Edition 184.108.40.206.
Get Magento Security Patch SUPEE-9652 Today
The Magento specialists at Forix have ample experience handling Magento security patch SUPEE-9652 and are happy to assist in order to ensure that your installation process is completed in a proper and timely fashion.