Magento’s latest security patch, SUPEE-8788, was made available this month to address a large number of issues from various Magento versions. This new release applies to earlier editions of both Magento Community and Magento Enterprise and tackles problems, like vulnerabilities in your checkout and easy access to existing accounts.
The patch has been tagged as ‘high priority’ by Magento, so it’s important to familiarize yourself with this update and apply it as soon as possible. Regarding the safety status of your store, there isn’t any reason to panic, as there are no known attacks, but since these issues are now being highlighted, it’s best to update soon in order to protect your store.
While keeping up to date with Magento announcements, we recommend running regular security sweeps of your eCommerce store to ensure there are no breaches. Additionally, monitoring the performance of your website is a good way to pick up on any abnormalities that could be caused by a malicious attack.
For now, applying SUPEE-8788 will protect your store from a range of vulnerabilities. Here’s everything you need to know…
Who is SUPEE-8788 for?
Patches have been released for both Magento Enterprise Edition and Magento Community Edition:
Magento Enterprise Edition: Versions 1.9.0.0 to 1.14.2.4. Alternatively, you can upgrade to Enterprise Edition 1.14.3 as this patch is now part of that package.
Community Edition: Versions 1.5.0.1 to 1.9.2.4. Alternatively, you can upgrade to Community Edition 1.9.3 as this patch now included in that version’s core code.
Upgrading to the latest editions will ensure these fixes are applied to your eCommerce store; if you’d rather not, simply deploy the patch.
What will this latest Magento patch fix?
SUPEE-8788 addresses numerous issues found on both the Community Edition prior to 1.9.3 and Enterprise Edition prior to 1.14.3. Here we highlight the most serious vulnerabilities that the latest patch tackles.
Remote Code Execution in checkout
This Remote Code Execution (RCE) fault applies to Magento CE versions preceding 1.9.3 and Magento EE versions prior to 1.14.3
CVSSv3 Severity: 9.8 (Critical)
This is undoubtedly the most serious issue of the bunch, putting every single one of your customers at risk. The fault allows malicious PHP code to be executed during the checkout process with some payment methods.
SQL injection in Zend Framework
This bug affects both Magento Community and Magento Enterprise in editions prior to CE 1.9.3 and EE 1.14.3.
CVSSv3 Severity: 9.1 (Critical)
Hackers can inject SQL through a flaw in Zend Framework’s ordering and grouping parameters. At present, the only known vulnerability is in the Magento Admin panel and while frontend entry points haven’t been identified, there is the possibility of later discoveries.
Stored XSS in invitations
This issue concerns Magento EE only in versions prior to 1.14.3.
CVSSv3 Severity: 8.2 (High)
While there are no known attacks, this bug allows malicious users to manipulate the Magento EE invitations feature to insert JavaScript that can be executed.
Block cache exploit
This issue concerns Magento EE versions prior to 1.14.3 and CE preceding 1.9.3.
CVSSv3 Severity: 7.7 (High)
This vulnerability requires an attacker to gain administrator permissions and can result in the acquiring of sensitive information such as encryption keys, store configuration and database connection details. Once a malicious user has access to any CMS functionality, blocks can be utilized to extract information stored in cache.
Log in as another customer
Vulnerability affects Magento EE versions prior to 1.14.3 and CE preceding 1.9.3.
CVSSv3 Severity: 7.5 (High)
This data protection bug allows hackers to log into your eCommerce store as an existing customer without a password once they know the email address.
Remote Code Execution in admin
Relevant to Magento EE versions prior to 1.14.3 and CE prior 1.9.3.
CVSSv3 Severity: 6.5 (Medium)
An RCE vulnerability that can give access to unserialized data. This process occurs in the import/export functionality when information is passed from the Admin dashboard without the necessary checks, allowing malicious users to extract information.
Poisoning of Full-Page Cache
Only affects Magento EE versions prior to 1.14.3.
CVSSv3 Severity: 6.5 (Medium)
With this flaw in place, hackers can manipulate your eCommerce store’s full-page cache into storing false pages under regular URL entries.
XSS vulnerability in URL processing
Affects Magento EE versions prior to 1.14.3 and CE versions before 1.9.3.
CVSSv3 Severity: 6.5 (Medium)
This cross-site scripting weakness is caused by a Magento function related to URL processing. User-supplied data by request headers is incorrectly used, leading to XSS problems.
Changes caused by applying SUPEE-8788
For a comprehensive real-time list, you can visit this thread on Magento.StackExchange, but we’ll highlight the most notable ones here:
- Flash support has been dropped due to a full Mage_Uploader module. This has also resulted in the Mage_Downloadable module using Mage_Uploader_Block_Single instead of templates as the upload block.
- Address Deletion and Wishlist Item Removal controllers are now protected with form keys.
- Payment through PayPal Express has been altered and the new user is now created before the new quote is processed.
- You can now adjust maximum dimensions for product images in the config.
Do I really need to bother with the new Magento Security Patch?
SUPEE-8788 covers a lot of ground, fixing a range of vulnerabilities that put both you and your customers at the mercy of attacks. Most of the issues haven’t yet been manipulated by malicious users, however, now that the vulnerabilities have been highlighted, your eCommerce store is at a greater risk if you’re running older versions of CE and EE.
There were some compatibility issues with the first version of this patch, which was released earlier this month, but Magento has since ironed out those wrinkles and as far the community is concerned, V2 is a success.
If you applied V1 to your store, the best thing to do is revert that version and install V2 instead.
So how do I get my hands on this new security patch?
There are a number of ways to access the patch, depending on your circumstance:
Partners
- Go to Partners Portal.
- Proceed through the following path:
- Magento Enterprise Edition
- Magento Enterprise Edition 1.X
- Magento Enterprise Edition 1.x
- Support and Security Patches
- Security Patches
- Security Patches – October 2016
Enterprise Edition Merchants
- Go to My Account.
- Proceed through the following path:
- Downloads Tab
- Magento Enterprise Edition 1.X
- Magento Enterprise Edition 1.x
- Support and Security Patches
- Security Patches
- Security Patches – October 2016
Community Edition Merchants
- Go to Community Edition Download Page.
- Proceed through the following path:
- Release Archive Tab
- Magento Community Edition Patches – 1.x Section
When installing the patch, test it in development first to identify any customizations or extensions in place on your site that it might the successful application or your store’s functionality. We also recommend ensuring older patches have been installed correctly before applying SUPEE-8788.
We’d love to hear your thoughts on the latest patch and don’t forget to keep an eye on the blog for the latest in Magento and eCommerce news.
