Magento 2.0.6 Security Update
May 17, 2016
Magento Enterprise Edition and Community Edition 2.0.6 are now available.
Magento Enterprise Edition and Community Edition 2.0.6 contain multiple security and functional enhancements. You can find more details about the vulnerabilities addressed below.
Merchants who have not previously downloaded a Magento 2.0 release should go straight to Magento Enterprise Edition or Community Edition 2.0.6.
Please refer to Security Best Practices for additional information how to secure your site.
To download the release, choose from the following options:
-
Partners:
|
Enterprise Edition 2.0.6 (New .zip file installations) |
Partner Portal > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.6 |
|
Enterprise Edition 2.0.6 (New composer installations) |
http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html |
|
Enterprise Edition 2.0.6 (Composer upgrades) |
http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html |
-
Enterprise Edition:
|
Enterprise Edition 2.0.6 (New .zip file installations) |
My Account > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.6 |
|
Enterprise Edition 2.0.6 (New composer installations) |
http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html |
|
Enterprise Edition 2.0.6 (Composer upgrades) |
http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html |
-
Community Edition:
|
Community Edition 2.0.6 (New .zip file installations) |
Community Edition Download Page > Download Tab
|
|
Community Edition 2.0.6 (New composer installations) |
http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html |
|
Community Edition 2.0.6 (Composer upgrades) |
http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html |
|
Community Edition 2.0.6 (Developers contributing to the CE code base) |
http://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html |
| APPSEC-1420 - Unauthenticated remote code execution via API | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (Critical) |
| Known Attacks: | None |
| Description: | Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs. Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs. (These APIs are enabled by default in most installations.) |
| Product(s) Affected: | Magento CE and EE 2.0.6 |
| Fixed In: | Magento CE and EE 2.0.6 |
| Reporter: | Netanel Rubin |
| APPSEC-1421 - Unauthenticated reinstallation leading to remote code execution | |
|---|---|
| Type: | Remote Code Execution (RCE) |
| CVSSv3 Severity: | 9.8 (Critical) |
| Known Attacks: | None |
| Description: | The Magento installation code is no longer accessible once the installation process has completed. Previously, an unauthenticated user or user with minimal permissions could execute PHP code on the server because the installation process would leave the /app/etc directory writeable, and many administrators would not change the permissions on this directory after installation. (During installation, the system requires the /app/etc directory to be writeable.)
|
| Product(s) Affected: | Magento CE and EE prior to 2.0.6 |
| Fixed In: | Magento CE and EE 2.0.6 |
| Reporter: | Netanel Rubin |
| APPSEC-1422 - Customer account takeover | |
|---|---|
| Type: | Information Disclosure / Leakage (Confidential or Restricted) |
| CVSSv3 Severity: | 7.5 (High) |
| Known Attacks: | None |
| Description: | Magento no longer allows authenticated customers to change other customers' account information using either SOAP or REST calls. Magento now confirms that the ID of the customer whose account is being edited matches the authentication token in use. Previously, a malicious user could hijack a customer account by logging in as an authenticated user, then editing the account of any other user. (The SOAP and REST APIs are enabled by default in most installations.) |
| Product(s) Affected: | Magento CE and EE prior to 2.0.6 |
| Fixed In: | Magento CE and EE 2.0.6 |
| Reporter: | Netanel Rubin |
| APPSEC-1410 - Reflected cross-site scripting in Authorize.net module | |
|---|---|
| Type: | Cross-site scripting (Reflected) |
| CVSSv3 Severity: | 7.4 (High) |
| Known Attacks: | None |
| Description: | Several parameters in the Authorize.net payment module are vulnerable to reflected Cross-Site Scripting (XSS) attacks. Existing protection against such malicious parameters is not enough to stop all types of attacks. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.6 |
| Fixed In: | Magento CE and EE 2.0.6 |
| Reporter: | Matthew Barry |
| APPSEC-1408 - Data privacy issues in APIs | |
|---|---|
| Type: | Information Disclosure / Leakage (Confidential or Restricted) |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | Anonymous users can no longer retrieve the private data of registered customers. To prevent malicious attacks of this type, the quote_id_mask table of the Quote API no longer includes a cart_id_mask value. Only a registered customer can assign a guest cart to himself. Previously, an anonymous user could modify the state (that is, set an active quote) of a registered customer. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.6 |
| Fixed In: | Magento CE and EE 2.0.6 |
| Reporter: | Magento Community |
| APPSEC-1389 - Application information disclosure | |
|---|---|
| Type: | Information disclosure (Internal) |
| CVSSv3 Severity: | 5.3 (Medium) |
| Known Attacks: | None |
| Description: | Application error messages no longer include the path to the file where the error occurred. Previously, when an unhandled exception occurred, Magento would display an error message that could disclose sensitive information such as the location of the file that produced the unhandled exception. A malicious user could use this information to launch attacks against the application. |
| Product(s) Affected: | Magento CE and EE prior to 2.0.6 |
| Fixed In: | Magento CE and EE 2.0.6 |
| Reporter: | Internal |
Be sure to implement and test the new version in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing a new release is AVAILABLE ONLINE (http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html).