January 13, 2017
The following newly-released software updates address the Zend Framework 1 security vulnerability:
Magento Enterprise Editions 2.1.4 and 2.0.12
Magento Enterprise Cloud Editions 2.1.4 and 2.0.12
Magento Community Editions 2.1.4 and 2.0.12
Magento Enterprise Edition 126.96.36.199, Community Edition 188.8.131.52, and the SUPEE-9652 patch
You can find details for each new version in the Magento 1 (Enterprise Edition or Community Edition), Magento 2, and Magento Enterprise Cloud Edition release notes. Software is available in My Account, on the Community Edition Download Page, and through Composer.
A new vulnerability has been found in a Zend Framework 1 and 2 email component. The component is used by all Magento 1 and Magento 2 software and other PHP solutions. This vulnerability is serious and can lead to a remote code execution attack if your server uses Sendmail as a mail transport agent.
To protect your site from this vulnerability, you should immediately check your mail sending settings. Go to the system settings used to control the “Reply to” address for emails sent from your Magento store:
Magento 1: System-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
Magento 2: Stores-> Configuration-> Advanced-> System-> Mail Sending Settings-> Set Return-Path
If “Set Return-Path” is set to “Yes,” and your server uses Sendmail, then your store is vulnerable to this exploit. Enterprise Cloud Edition customers do not need to worry about this issue. We’ve already checked your configuration and you are not at risk.
While we have not yet observed attacks using this vulnerability, the risk is very high. Until patches are available, we strongly recommend that you turn off the “Set Return-Path” setting (switch to “No”), regardless of the transport agent used. Magento is currently working to provide patches to close this vulnerability and we expect they will be available in the next several weeks.