On January 30 Magento released an update which contains over 30 security enhancements and over 250 functional enhancements. This update should be installed as soon as possible to close the vulnerabilities. Patch 2.3.3.1 contains only the security fixes.
Magento 2.3.4 has not been tested with PHP 7.1 because 7.1 is no longer officially supported. It is recommended to upgrade to a newer PHP version.
The security patch (APSB20-02) is also available for version 2.2.11, 1.14.4.4, and 1.9.4.4.
Security Fixes (all versions)
The found vulnerabilities allow hackers cross-site scripting (XSS) and remote code execution. However there are no confirmed attacks related to the known issues to date. Most of the exploits require Admin access, that’s why it is very important, that you have a safe access to your admin panal. The use of IP whitelisting, two-factor authentication or an unique location rather than /admin is recommended.
- Stored cross-site scripting (PRODSECBUG-2543, PRODSECBUG-2599)
- Sensitive information disclosure (important)
- Arbitrary code execution (PRODSECBUG-2579)
- Deserialization of untrusted data (critical)
- Path traversal (PRODSECBUG-2632)
- Sensitive information disclosure (important)
- Arbitrary code execution (PRODSECBUG-2633)
- Security bypass (critical)
- SQL injection (PRODSECBUG-2660)
- Sensitive information disclosure (critical)
Magento 2.3.4
Additional security enhancements include:
- Removal of custom layout updates and the deprecation of layout updates to remove the opportunity for Remote Code Execution (RCE).
- Redesigned content template features so that only whitelisted variables can be added to templates. This avoids the situation where administrator-defined templates such as email can include variables and directives that can directly call PHP functions on objects.
Platform upgrades
The following platform upgrades help enhance website security and PCI compliance.
- Enhancements to the message queue framework.
- Improved page caching and session storage.
- Enhanced support for MariaDB 10.2.
- The core integration of the Authorize.net payment method has been deprecated.
Performance boosts
This update contains also performance enhancements by following changes:
- Redundant non-cached requests to the server on catalog pages have been eliminated by refactoring the customer section invalidation mechanism and improving banner cache logic.
- PHTML files have been refactored to better support parsing by the bundling mechanism.
- Added the ability to disable statistic collecting for Reports module by default.
Infrastructure improvements
This release contains 250 enhancements to core functionality. To see all the changes visit MagentoDevDocs.
Highlights of the infrastructure improvements are:
- Integration with Adobe Stock image galleries.
- Inventory Management enhancements.
- Improved GraphQL coverage for search, layered navigation, cart functionality.
- Live Chat powered by dotdigital enables merchants to increase conversion rates, and keep customers coming back with real-time engagement.
- PWA Studio enhancements.
- Klarna Payments has a new Data sharing on load field in the Magento configuration that can be set to share customer data either after the transaction is authorized, or when the Klarna payment method is selected during checkout.
Other Magento Versions
Magento 1.9.4.4
Besides the security patch Magento 1.9.4.4 has one fix for:
- The Disable button present when you run the compiler from Admin > System > Tools > Compiler is now enabled as expected.
Magento 2.2.11
Magento 2.2.11 has besides the security patch 24 fixes for following categories:
Cart and checkout, CMS content, configurable products, inventory, import/export, indexing, infrastructure, payment methods, shipping, search, URL rewite, persistent, whishlist.
You can get an overview of the fixes in Magento 2.2.11 in the Magento DevDocs.
Remember to create a backup before installing updates.
Pingback: Magento Tech Digest #97 – Max Pronko