Magento Security Patches
Security Updates and News
- Magento Security Patch 2.2.1, 2.1.10 and 2.0.17 Update
- Magento 2.0.6 Security Update
- Magento 2.0.4 Security Update
- Magento 2.0.16 and 2.1.9 Security Update
- Magento 2.0.14 and 2.1.7 Security Update
- Magento Security Update 2.0.10 and 2.1.2
- SUPEE-6788 Address Zend Framework Vulnerability Update
- Magento Security Patch 2.0.1 Update
- SUPEE-6788 Technical Details
Magento Security Patch SUPEE-9767
Released on May 31, 2017, SUPEE 9767 is the latest update for both the Enterprise Edition 220.127.116.11 and the Community Edition 18.104.22.168 platforms. Addressing critical security threats noticed in previous Magento Versions, SUPEE-9767 most essential components are the security improvements, which can secure the safety and functionality of your platform. SUPEE-9767 contains enhanced solutions for the following identified susceptibilities:
Remote Code Execution (RCE): RCE has a severity rating of 8.8, meaning instances of remote code execution pose an extremely high risk to your system. RCE problems unresolved in previous Magento versions permit the utilization of the configuration choice of “AllowSymlinks” to allow the upload of an image or images with dangerous code. This selection is not permitted by default, but hackers with the ability to infiltrate the store’s configuration control system can easily enable it and proceed to inject damaging code. Another major issue connected to RCE seen in earlier Magento versions allows admins to use the Dataflow and CMS functions to upload and administer harmful code within a system.
Cross-Site Scripting (XSS) Registering a severity level of 8.7, cross-site scripting can cause serious harm to your Magento software. Issues found in previous versions of Magento do not filter data and files appropriately, which makes it easy for attackers to infiltrate your system and perform cross-site scripting attacks. Another XSS problem detected in older editions allows a Magento admin to use configuration settings to enter in harmful code and administer additional admin pages.
Cross-Site Request Forgery (CSRF): Instances of cross-site request forgery pose a high risk to a Magento platform, as they have a severity level rating of 8.0. CSRF problems found in previous Magento versions do not undo form keys when logging out of the system, which can permit a hacker to administer directions as authorized admin without the approval or knowledge of the administrator. Another crucial concern seen in older Magento versions is a serious vulnerability to CSRF assaults administered via email messages, which give hackers the permission to modify and collect specifics about payment information.
Privilege Escalation: With a security rating of 6.5, situations involving privilege escalation pose a medium level risk to your Magento system. Privilege escalation issues spotted in earlier Magento versions give lower-level admins and admins with restricted privileges the ability to change configuration settings, including the capacity to edit PayPal and other payment settings.
Patches are currently accessible to the owners of the following Magento editions. Consider these two selections to decide which is appropriate for your system
For Enterprise Edition versions 22.214.171.124-126.96.36.199, either install SUPEE-9767 or upgrade to Enterprise Edition 188.8.131.52
For Community Edition versions 184.108.40.206-220.127.116.11, either install SUPEE-9767 or upgrade to Community Edition 18.104.22.168
For access to upgrades for installation, click here
Prior to implementing or installing SUPEE-9767, be sure that you have disabled the Symlinks option in the advanced portion of the system configuration section. If you do not disable the setting, it will cancel the configuration file setting. Changing this setting necessitates an immediate database adjustment.
Reports indicate that consumer enrollment following checkout can crash when the setting ‘Enable Form Key Validation at Checkout’ is allowed to run. As a result, customers are not enrolled and are pursuing checkout as guests. Further improvements for this issue will be addressed in upcoming patches. For now, those experiencing this issue should apply the workaround method as follows: disable the setting ‘Enable Form Key Validation on Checkout’ by selecting the DISABLE choice.
Get SUPEE-9767 Installed Today
The professionals at Forix have worked with Magento security patches and have the knowledge and expertise to help your SUPPEE-9767 installation process go as smoothly as possible.