MAGENTO SECURITY PATCH SUPEE-10570 RELEASED
SUPEE-10570, Magento Commerce 22.214.171.124 and Open Source 126.96.36.199 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.
NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 188.8.131.52/184.108.40.206 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 220.127.116.11-18.104.22.168: SUPEE-10570 or upgrade to Magento Commerce 22.214.171.124
- Magento Open Source 126.96.36.199-188.8.131.52: SUPEE-10570 or upgrade to Magento Open Source 184.108.40.206
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Remote Code Execution (RCE)
|CVSSv3 Severity||Security Bug||Description|
|9.8 (High)||Remote Code Execution Using XML Injection||An administrator with limited privileges can insert injectable XML into the layout table, which can create an opportunity for remote code execution.|
|9.8 (Critical)||Remote Code Execution – additional fix not included in SUPEE-9652||A user can insert information in a return path, thereby storing information on the file system that could lead to Remote Code Execution (RCE).|
|8.9 (High)||Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import.||An administrator with Import permissions can import an XML file that could potentially provide an opportunity for Remote Code Execution (RCE).|
|7.2 (High)||Remote Code Execution in Staging Environment||An administrator with limited privileges can inject a malformed configuration bypass, which could potentially lead to a file redirection that could be leveraged for arbitrary remote code execution.|
Issue Type: Cross-Site Request Forgery (CSRF)
|6.4 (Medium)||Cross-Site Request Forgery in Store Backups||An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack.|
Issue Type: Cross-site Scripting (XSS) – stored
|5.0(Medium)||Cross-site Scripting in CMS hierarchy||An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators.|
|5.0(Medium)||Cross-site Scripting in Custom Variables||An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators.|
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10570 patch, please contact our support team.