MAGENTO SECURITY PATCH SUPEE-9652 RELEASED
SUPEE-9652, Enterprise Edition 184.108.40.206 and Community Edition 220.127.116.11 address the Zend library vulnerability described below.
Patches and upgrades are available for the following Magento versions:
- Enterprise Edition 18.104.22.168-22.214.171.124: SUPEE-9652 or upgrade to Enterprise Edition 126.96.36.199
- Community Edition 188.8.131.52-184.108.40.206: SUPEE-9652 or upgrade to Community Edition 220.127.116.11
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Remote Code Execution (RCE)
|CVSSv3 Severity||Security Bug||Description|
|9.8 (Critical)||Remote Code Execution using mail vulnerability||Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well. Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:
– use sendmail as the mail transport agent
– have specific, non-default configuration settings
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-9652 patch, please contact our support team.