MAGENTO SECURITY PATCH SUPEE-10975 RELEASED
SUPEE-10975, Magento Commerce 18.104.22.168 and Open Source 22.214.171.124 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 126.96.36.199-188.8.131.52: SUPEE-10975 or upgrade to Magento Commerce 184.108.40.206.
- Magento Open Source 220.127.116.11-18.104.22.168: SUPEE-10975 or upgrade to Magento Open Source 22.214.171.124.
There were several high CVSSv3 Severity issues found which affected the products Magento Open Source prior to 126.96.36.199, and Magento Commerce prior to 188.8.131.52, Magento 2.1 prior to 2.1.16, Magento 2.2 prior to 2.2.7. Below are the few bugs:
Issue Type: Brute Force Login / Session Identifier
|CVSSv3 Severity||Security Bug||Description|
|9.0||Stops Brute Force Requests via basic RSS authentication||Attacker is able to brute force requests to the RSS nodes that require admin authentication. With this, attacker would be able to guess the admin password.|
Issue Type: Compliance Requirement
|9.0||M1 Credit Card Storage Capability||Removes functionality enabling M1 customers to store credit card data in the database.|
Issue Type: Remote Code Execution (RCE)
|8.5||Authenticated RCE using customer import||Restricts Admin users with access to edit product attributes from running customer imports while executing arbitrary code using a serialized string that have been set as validate_rules on an attribute.|
|8.5||API Based RCE Vulnerability||By activating an API, including the ability to add products, it is possible to send base64-encoded content to an unauthorized file and with it, excute an RCE|
|8.5||RCE Via Unauthorized Upload||Prevents a user from uploading unauthorized files while attaching videos|
|8.5||Authenticated RCE using dataflow||Prevents Admin users with access to dataflow functionallity from executing arbitrary code using a specially crafted serialized string|
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10975 patch, please contact our support team.