MAGENTO SECURITY PATCH SUPEE-10975 RELEASED

SUPEE-10975, Magento Commerce 1.14.4.0 and Open Source 1.9.4.0 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.4.0: SUPEE-10975 or upgrade to Magento Commerce 1.14.4.0.
  • Magento Open Source 1.5.0.0-1.9.4.0: SUPEE-10975 or upgrade to Magento Open Source 1.9.4.0.

There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 1.9.4.0, and Magento Commerce prior to 1.14.4.0, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7. Below are the few bugs:

Issue Type: Brute Force Login / Session Identifier

 

CVSSv3 Severity Security Bug Description
9.0 Stops Brute Force Requests via basic RSS authentication Attacker is able to brute force requests to the RSS nodes that require admin authentication. With this, attacker would be able to guess the admin password.

 

Issue Type: Compliance Requirement

 

9.0 M1 Credit Card Storage Capability Removes functionality enabling M1 customers to store credit card data in the database.

 

Issue Type: Remote Code Execution (RCE)

 

8.5 Authenticated RCE using customer import Restricts Admin users with access to edit product attributes from running customer imports while executing arbitrary code using a serialized string that have been set as validate_rules on an attribute.
8.5 API Based RCE Vulnerability By activating an API, including the ability to add products, it is possible to send base64-encoded content to an unauthorized file and with it, excute an RCE
8.5 RCE Via Unauthorized Upload Prevents a user from uploading unauthorized files while attaching videos
8.5 Authenticated RCE using dataflow Prevents Admin users with access to dataflow functionallity from executing arbitrary code using a specially crafted serialized string

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10975 patch, please contact our support team.

No Comments

Leave a Comment

Please be polite. We appreciate that.
Your email address will not be published and required fields are marked