Magento released Magento Commerce and Magento Open Source 2.3.2. Supporting their merchants’ need for secure, high performing sites is a top priority for Magento and this latest release includes several security enhancements as well as substantial performance improvements. Highlights include:

  • Security: Multiple enhancements were identified by leveraging Adobe’s sophisticated security tools and the large reach of the Adobe Hacker One bug bounty program.
  • Performance: Significant performance enhancements include 20% improvement to storefront page-load times, product images loading concurrently with other page content, and up to 90% improvement in category browsing for merchants with large catalogs.
  • Productivity: Several actions are now performed as asynchronous background processes, allowing administrators to continue working while tasks are being processed in the background.
  • Quality: Over 130 product quality enhancements across many critical areas of the platform.

Additionally, Magento Commerce and Magento Open Source 2.2.9 and 2.1.18 were released. These versions will also include the security enhancements outlined above. Magento is dedicated to providing as many security fixes and updates as quickly as possible to support all merchants, across all supported Magento versions and editions. As such, Magneto has also released updates, notes, and documentation for the following Magento versions as well:

Magento Commerce and Open Source 2.3.2, 2.2.9 and 2.1.18 contain 75 security enhancements that help close Remote Code Execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities. Below are the high severity Magento vulnerabilities addresed by the latest security update:

Issue Type: Remote Code Execution (RCE)

CVSSv3 SeveritySecurity BugDescription
9.1Arbitrary code execution through design layout update – CVE-2019-7895An authenticated user with admin privileges can execute arbitrary code through a crafted XML layout update.
9.1Arbitrary code execution through product imports and design layout update – CVE-2019-7896An authenticated user with admin privileges can execute arbitrary code through combination of product import via crafted csv file and XML layout update.
9.1Security bypass via form data injection – CVE-2019-7871An authenticated user can inject form data and bypass security protections that prevent arbitrary PHP script upload.
9.1Arbitrary code execution via malicious XML layouts – CVE-2019-7942An authenticated user with admin privileges can execute arbitrary code when creating a product via malicious XML layouts.
9.0Remote code execution through crafted email templates – CVE-2019-7903An authenticated user with admin privileges can execute arbitrary code through crafted email template code when previewing the template.
9.0Arbitrary code execution via crafted sitemap creation – CVE-2019-7932An authenticated user with admin privileges to create sitemaps can execute arbitrary code by crafted filenames that include php extension within the XML filename.
9.0Arbitrary code execution through malicious elastic search module configuration – CVE-2019-7885An authenticated user with privileges to configure the catalog search can execute arbitrary code through malicious configuration of the Elastic search module.
8.0Arbitrary code execution due to unsafe handling of a carrier gateway – CVE-2019-7892An authenticated user with admin privileges to access shipment settings can execute arbitrary code through server-side request forgery.
8.0Arbitrary code execution via layout manipulation – CVE-2019-7876An authenticated user with privileges to manipulate layout can execute arbitrary code through crafted custom layout update field.
8.0Arbitrary code execution due to unsafe handling of a carrier gateway – CVE-2019-7923An authenticated user with admin privileges to manipulate shipment settings can execute arbitrary code through server-side request forgery.
8.0Arbitrary code execution due to unsafe handling of a carrier gateway – CVE-2019-7923An authenticated user with admin privileges to manipulate shipment settings can execute arbitrary code through server-side request forgery.

Issue Type: Injection or SQL Injection (Blind Read)

9.0MySQL Error through crafted Elasticsearch query – CVE-2019-7931An attacker can tamper with search queries, causing MySQL error, when Elasticsearch is set as search provider.
8.2SQL Injection due to a flaw in MySQL adapter – CVE-2019-7139An unauthenticated user in Magento 2.2.x, or an authenticated user in Magento 1.x, can execute SQL statements that allow arbitrary read access to the underlying database.
5.5Unsafe functionality is exposed via email templates manipulation – CVE-2019-7889An authenticated user with marketing manipulation privileges can invoke methods that alter data of the underlying model followed by corresponding database modifications.

Issue Type: Unsafe File Upload

9.1Arbitrary code execution via file upload in admin import feature – CVE-2019-7930An authenticated user with admin privileges to the import feature can execute arbitrary code by uploading a malicious csv file.

Issue Type: Information Leakage

8.8Insecure object reference via customer REST API – CVE-2019-7950Unauthenticated users can pass arbitrary values for company attributes parmeters via POST and PUT action and assign themselves to arbitray company effectively gaining access to company’s confidental information.
Source: Magento

We encourage all our merchants to take the plunge and upgrade to 2.3.2 to take full advantage of all the new features and security advancement updates! Rave Digital will perform a fully secured upgrade, following best practices for backups, upgrades, and updates as outlined by Magento eCommerce!