MAGENTO SECURITY PATCH SUPEE-9767 RELEASED
SUPEE-9767, Enterprise Edition 184.108.40.206 and Community Edition 220.127.116.11 address several security issues.
Magento received reports that customer registration after checkout might fail if the option to ‘Enable Form Key Validation On Checkout’ is enabled. This results in customers not being registered but checking out as guests. Magento is working on updated version of the patch. As a workaround, disabling the ‘Enable Form Key Validation On Checkout’ option will revert the incorrect behavior.
Patches and upgrades are available for the following Magento versions:
- Enterprise Edition 18.104.22.168-22.214.171.124: SUPEE-9767 or upgrade to Enterprise Edition 126.96.36.199
- Community Edition 188.8.131.52-184.108.40.206: SUPEE-9767 or upgrade to Community Edition 220.127.116.11
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Remote Code Execution (RCE)
|CVSSv3 Severity||Security Bug||Description|
|8.8 (High)||Remote Code Execution if the configuration setting allowing symlinks is enabled.||Use of the AllowSymlinks option in configuration settings can enable the upload of an image that contains malicious code. Although this option is disabled by default, an attacker with access to store configuration settings can enable it and remotely execute code.|
|8.8 (High)||Remote Code Execution in DataFlow||Magento administrators with access to DataFlow functionality can use it to upload and execute arbitrary code.|
|8.8 (High)||CSRF after logout – form key not invalidated||Magento does not invalidate form keys on logout, which potentially allows an attacker to execute commands as administrator after the admin logs out.|
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-9767 patch, please contact our support team.