Magento Forums
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Extending the June 25 Security Update to Older Versions of Magento

Labels:
jeanne_frontain
Adobe Team
Adobe Team
‎07-30-2019 01:26 PM
‎07-30-2019 01:26 PM

To provide enhanced security for customers using older versions of the Magento platform, we are backporting a fix from the security patch we released on June 25 (Magento 2.3.2, 2.2.9 and 2.1.18 Security Update) to additional versions of Magento Commerce and Magento Open Source.

 

This issue was addressed in Magento 2.3.2, 2.2.9, and 2.1.18 and is described in issue description CVE-2019-7877 in Magento 2.3.2, 2.2.9 and 2.1.18 Security Update. We will now offer patches for older versions. Although we have not seen many exploits related to this vulnerability, we strongly recommend that all users of the affected versions of Magento download and apply the appropriate patch as soon as possible.

 

This vulnerability results from the combination of an HTML sanitizer and an authenticated Phar file deserialization. An attacker can use the resulting unauthenticated cross-site scripting vulnerability (combined with an authenticated Phar deserialization vulnerability) to inject JavaScript into the Magento Admin, and subsequently launch malicious code in a store user’s browser.

 

Affected Magento versions

The issue affects the following Magento versions (on prem and cloud):

  • Magento Open Source v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
  • Magento Commerce v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases
  • Magento Commerce Cloud v2.3.1, 2.3.0, 2.2.8, and earlier 2.2.x releases

Note: Patches have been tested on Magento versions 2.3.1, 2.3.0, 2.2.8 and 2.2.7 only. Deployments running on older versions of Magento are vulnerable and should be upgraded.

 

Patch information

There are Git- based and Composer- based patches for both the Magento 2.3.x and 2.2.x releases.

 

Magento 2.2.x releases:

PRODSECBUG-2233-2.2.x.patch

PRODSECBUG-2233-2.2.x.composer.patch

 

Magento 2.3.x releases:

PRODSECBUG-2233-2.3.x.patch

PRODSECBUG-2233-2.3.x.composer.patch

 

How to apply the patch

Patches are available from the Magento Download page for Magento Open Source, or through your Magento account for Magento Commerce. Locate the patch by the name. We provide Git-based and Composer-based patches. See Applying patches for additional information.

 

For Magento Commerce Cloud, download the appropriate Magento Commerce version patch and see Apply custom patches.