MAGENTO SECURITY PATCH SUPEE-9652 RELEASED

SUPEE-9652, Enterprise Edition 1.14.3.2 and Community Edition 1.9.3.2 address the Zend library vulnerability described below.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.3.1: SUPEE-9652 or upgrade to Enterprise Edition 1.14.3.2
  • Community Edition 1.5.0.1-1.9.3.1: SUPEE-9652 or upgrade to Community Edition 1.9.3.2

There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:

Issue Type: Remote Code Execution (RCE)

 

CVSSv3 Severity Security Bug Description
9.8 (Critical) Remote Code Execution using mail vulnerability Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well. Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:
– use sendmail as the mail transport agent
– have specific, non-default configuration settings

Source: Magento

It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.

What else can be done to protect a Magento site?

Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;

Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-9652 patch, please contact our support team.

No Comments

Leave a Comment

Please be polite. We appreciate that.
Your email address will not be published and required fields are marked