Magento released Magento Commerce and Magento Open Source 2.3.2. Supporting their merchants’ need for secure, high performing sites is a top priority for Magento and this latest release includes several security enhancements as well as substantial performance improvements. Highlights include:
- Security: Multiple enhancements were identified by leveraging Adobe’s sophisticated security tools and the large reach of the Adobe Hacker One bug bounty program.
- Performance: Significant performance enhancements include 20% improvement to storefront page-load times, product images loading concurrently with other page content, and up to 90% improvement in category browsing for merchants with large catalogs.
- Productivity: Several actions are now performed as asynchronous background processes, allowing administrators to continue working while tasks are being processed in the background.
- Quality: Over 130 product quality enhancements across many critical areas of the platform.
Additionally, Magento Commerce and Magento Open Source 2.2.9 and 2.1.18 were released. These versions will also include the security enhancements outlined above. Magento is dedicated to providing as many security fixes and updates as quickly as possible to support all merchants, across all supported Magento versions and editions. As such, Magneto has also released updates, notes, and documentation for the following Magento versions as well:
Magento Commerce and Open Source 2.3.2, 2.2.9 and 2.1.18 contain 75 security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. Below are the high severity Magento vulnerabilities addresed by the latest security update:
Issue Type: Remote Code Execution (RCE)
CVSSv3 Severity | Security Bug | Description |
9.1 | Arbitrary code execution through design layout update – CVE-2019-7895 | An authenticated user with admin privileges can execute arbitrary code through a crafted XML layout update. |
9.1 | Arbitrary code execution through product imports and design layout update – CVE-2019-7896 | An authenticated user with admin privileges can execute arbitrary code through combination of product import via crafted csv file and XML layout update. |
9.1 | Security bypass via form data injection – CVE-2019-7871 | An authenticated user can inject form data and bypass security protections that prevent arbitrary PHP script upload. |
9.1 | Arbitrary code execution via malicious XML layouts – CVE-2019-7942 | An authenticated user with admin privileges can execute arbitrary code when creating a product via malicious XML layouts. |
9.0 | Remote code execution through crafted email templates – CVE-2019-7903 | An authenticated user with admin privileges can execute arbitrary code through crafted email template code when previewing the template. |
9.0 | Arbitrary code execution via crafted sitemap creation – CVE-2019-7932 | An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename. |
9.0 | Arbitrary code execution through malicious elastic search module configuration – CVE-2019-7885 | An authenticated user with privileges to configure the catalog search can execute arbitrary code through malicious configuration of the Elastic search module. |
8.0 | Arbitrary code execution due to unsafe handling of a carrier gateway – CVE-2019-7892 | An authenticated user with admin privileges to access shipment settings can execute arbitrary code through server-side request forgery. |
8.0 | Arbitrary code execution via layout manipulation – CVE-2019-7876 | An authenticated user with privileges to manipulate layout can execute arbitrary code through crafted custom layout update field. |
8.0 | Arbitrary code execution due to unsafe handling of a carrier gateway – CVE-2019-7923 | An authenticated user with admin privileges to manipulate shipment settings can execute arbitrary code through server-side request forgery. |
8.0 | Arbitrary code execution due to unsafe handling of a carrier gateway – CVE-2019-7923 | An authenticated user with admin privileges to manipulate shipment settings can execute arbitrary code through server-side request forgery. |
Issue Type: Injection or SQL Injection (Blind Read)
CVSSv3 Severity | Security Bug | Description |
9.0 | MySQL Error through crafted Elasticsearch query – CVE-2019-7931 | An attacker can tamper with search queries, causing MySQL error, when Elasticsearch is set as search provider. |
8.2 | SQL Injection due to a flaw in MySQL adapter – CVE-2019-7139 | An unauthenticated user in Magento 2.2.x, or an authenticated user in Magento 1.x, can execute SQL statements that allow arbitrary read access to the underlying database. |
5.5 | Unsafe functionality is exposed via email templates manipulation – CVE-2019-7889 | An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications. |
Issue Type: Unsafe File Upload
CVSSv3 Severity | Security Bug | Description |
9.1 | Arbitrary code execution via file upload in admin import feature – CVE-2019-7930 | An authenticated user with admin privileges to the import feature can execute arbitrary code by uploading a malicious csv file. |
Issue Type: Information Leakage
CVSSv3 Severity | Security Bug | Description |
8.8 | Insecure object reference via customer REST API – CVE-2019-7950 | Unauthenticated users can pass arbitrary values for company attributes parmeters via POST and PUT action and assign themselves to arbitray company effectively gaining access to company’s confidental information. |
Source: Magento Security
We encourage all our merchants to take the plunge and upgrade to 2.3.2 to take full advantage of all the new features and security advancement updates! Rave Digital will perform a fully secured upgrade, following best practices for backups, upgrades, and updates as outlined by Magento eCommerce!