New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Latest Magento Security Update Helps Protect from Recently Reported RCE Vulnerability

November 11, 2019

By: Piotr Kaminski,
Magento Security Team
Tags:

Magento is committed to delivering security updates to our customers. Because most exploits tend to target software installations that are not up-to-date with the latest security updates, we always strongly recommend that users install security updates as soon as they are available.

 

Merchants running Magento Commerce 2.3.x should install the latest security update to help protect their stores from potential malicious attacks that could exploit a vulnerability   in preview methods. This vulnerability could enable an unauthenticated user to insert a malicious payload into a merchant’s site and execute it, which is why we recommend installing this update.

 

This issue was addressed in Magento Commerce 2.3.3 and the security-only patch 2.3.2-p2. (See the discussion of CVE-2019-8144 in Magento 2.3.3 and 2.2.10 Security Update  or cve.mitre.org CVE-2019-8144 .

 

Affected Magento versions

  • Magento Commerce 2.3.1
  • Magento Commerce 2.3.2 (deployments that have not had security-only patch 2.3.2-p2 installed)
  • Unsupported versions of Page Builder, such as Page Builder Beta

 

Protect your store

Important: We recommend that all merchants, even those who have already upgraded to 2.3.3 or applied security-only patch 2.3.2-p2, review the security of their Magento site to confirm that it was not potentially compromised before upgrade. Applying this hot fix or upgrading as described in this blog will help defend your store against potential attacks going forward, but will not address the effects of an earlier attack.

 

Recommended action

We recommend that merchants take the actions described below as soon as possible:

Merchants running Magento 2.3.1—

  • Install the MDVA-22979_EE_2.3.1_v1 patch now, and then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
  • Review your site and your server for signs of potential compromise.

Please note that editing an email template will not work as expected after the MDVA-22979_EE_2.3.1_v1 patch has been applied. However, this feature still works as expected from the email templates grid.

Merchants running Magento 2.3.2 —

  • Install MDVA-22979_EE_2.3.2_v1 patch now, then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible.
  • Review your site and your server for signs of potential compromise.

Merchants running unsupported versions of Page Builder, such as Page Builder Beta, should follow the instructions for the version of Magento 2.3.x they are running.

 

Patch information

Two patches are available: MDVA-22979_EE_2.3.2_v1 and MDVA-22979_EE_2.3.1_v1. Download the appropriate patch for your deployment from your account on magento.com.

 

Attention Commerce Cloud customers

To help protect our customers, we have implemented measures designed to help block the exploit of this vulnerability. However, this action will have the side effect of blocking administrators from viewing previews for products, blocks, and dynamic blocks. We will re-enable the preview functionality as soon as possible.