New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

MAGENTO 2.2.5 AND 2.1.14 SECURITY UPDATE

June 27, 2018

By: Magento Security Team,
Magento Security Team
Tags:

Magento Commerce and Open Source 2.2.5 and 2.1.14 contain multiple security enhancements that help close authenticated Admin user remote code execution (RCE), Cross-Site Scripting (XSS) and other vulnerabilities.

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.5.

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.2.5 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.5

Magento Commerce 2.1.14 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.14

Magento Commerce 2.2.5 and 2.1.14 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.2.5 and 2.1.14 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.2.5 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.5

Magento Commerce 2.1.14 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.14

Magento Commerce 2.2.5 and 2.1.14 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Commerce 2.2.5 and 2.1.14 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.2.5 and 2.1.14 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.2.5 and 2.1.14 (New composer installations)

https://devdocs.magento.com/guides/v2.2/install-gde/composer.html

Magento Open Source 2.2.5 and 2.1.14 (Composer upgrades)

https://devdocs.magento.com/guides/v2.2/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.2.5 and 2.1.14 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.2/install-gde/install/cli/dev_options.html

APPSEC-2014: Authenticated Remote Code Execution (RCE) through the Magento admin panel (swatches module)
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (Critical)
Known Attacks:None
Description:

An administrator user can achieve remote code execution by exploiting a vulnerability in the swatches module.

Product(s) Affected:Magento 2.1 prior to 2.1.14
Fixed In:Magento 2.1.14
Reporter:convenient
APPSEC-2054: Remote Code Execution (RCE) via product import
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.9 (High)
Known Attacks:None
Description:

An administrator user with access to product import can add arbitrary code to the server.

Product(s) Affected:Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento 2.1.14, Magento 2.2.5
Reporter:jazzy2fives
APPSEC-2042: PHP Object Injection and RCE in the Magento 2 EE admin panel (Commerce Target Rule module)
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.9 (High)
Known Attacks:None
Description:

PHP Object Injection and RCE in the Magento 2 EE admin panel (Enterprise Target Rule module)

Product(s) Affected:Magento 2.1 prior to 2.1.14, Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9
Fixed In:Magento 2.1.14, Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752
Reporter:convenient
APPSEC-2055: PHP Object Injection and RCE in the Magento 2 Commerce admin panel (Schedule Import/Export Configuration)
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.9 (High)
Known Attacks:None
Description:

An administrator user with access to the scheduled import/export logic can insert malicious data into the export configuration which can be used for PHP object injection and Remote Code Execution.

Product(s) Affected:Magento 2.1 prior to 2.1.14
Fixed In:Magento 2.1.14
Reporter:convenient
APPSEC-2048: SQL Injection through API
Type:SQL Injection (SQLi)
CVSSv3 Severity:8.5 (High)
Known Attacks:Nond
Description:

A authenticated API user can perform a SQL Injection by exploiting several API endpoints.

Product(s) Affected:Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento 2.1.14, Magento 2.2.5
Reporter:Sourcebooks, Inc
APPSEC-2025: Arbitrary File Delete via Product Image
Type:Directory Traversal
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator user can delete arbitrary files from the server by sending modified data to the WYSIWYG admin component.

Product(s) Affected:Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento 2.1.14, Magento 2.2.5
Reporter:mortis
APPSEC-2044: Cross-Site Scripting (XSS) through B2B quote
Type:Cross Site Scripting (XSS)
CVSSv3 Severity:8.1 (High)
Known Attacks:None
Description:

A validated B2B customer can inject a malicious script into their account information. This script will then be executed when an admin user views the account details.

Product(s) Affected:Magento 2.2 prior to 2.2.5
Fixed In:Magento 2.2.5
Reporter:mpchadwick
APPSEC-2026: Authenticated Remote Code Execution (RCE) through the Magento admin panel (currency configuration)
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.1 (High)
Known Attacks:None
Description:

An administrator user can achieve remote code execution by exploiting a vulnerability in the currency configuration.

Product(s) Affected:Magento 2.1 prior to 2.1.14
Fixed In:Magento 2.1.14
Reporter:convenient
APPSEC-2070: Directory Traversal in Product Import
Type:Directory Traversal
CVSSv3 Severity:7.6 (High)
Known Attacks:None
Description:

An administrator user with access to product import can perform a directory traversal.

Product(s) Affected:Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento 2.1.14, Magento 2.2.5
Reporter:Internal
APPSEC-2062: Remote Code Execution (RCE) through dev tools
Type:Remote Code Execution (RCE)
CVSSv3 Severity:7.6 (High)
Known Attacks:None
Description:

Under certain circumstances it is possible for an anonymous user to achieve remote code execution by exploiting the dev tools.

Product(s) Affected:Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento 2.1.14, Magento 2.2.5
Reporter:mortis
APPSEC-2027: PHP Object Injection and Remote Code Execution (RCE) in the Admin panel (Commerce)
Type:Remote Code Execution (RCE)
CVSSv3 Severity:7.4 (High)
Known Attacks:None
Description:

An administrator user with access to the Enterprise Target rule module can create rule-based product relations that can be manipulated to trigger remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5
Reporter:boskostan
APPSEC-2010: Cross-Site Request Forgery + Frontend Stored XSS (Design Configuration)
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:7.1 (High)
Known Attacks:None
Description:

When URL secret keys are disabled it is possible for an administrator to fall victim to a Cross-Site Request Forgery (CSRF) that can alter the design configuration.

Product(s) Affected:Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento 2.1.14, Magento 2.2.5
Reporter:boskostan
APPSEC-2006: Stored cross-site scripting (XSS) through the Enterprise Logging extension
Type:Cross-site Scripting (XSS)
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

The `Enterprise_Logging` extension logs request data when save events are triggered on the website. This information is displayed to administrators with limited privileges that can view the audit log. Although these saved values are escaped before output, the keys are not, which makes it possible to insert cross-site scripting (XSS) on this page.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5
Reporter:Peter O'Callaghan
APPSEC-2030: Cross-Site Scripting (XSS) through the Admin Username in the CMS Revision Editor (Commerce only)
Type:Cross-Site Scripting (XSS)
CVSSv3 Severity:5.9 (Medium)
Known Attacks:None
Description:

A user with limited administrator permissions can execute scripts during an admin user session. This script will be executed when any user views this page on the storefront.

Product(s) Affected:Magento 2.1 prior to 2.1.14
Fixed In:Magento 2.1.14
Reporter:mpchadwick
APPSEC-1716: X-Frame-Options missing from templates
Type:Security Misconfiguration
CVSSv3 Severity:3.7 (Low)
Known Attacks:None
Description:

The X-Frame-Options header is used to help prevent clickjacking attacks.

Product(s) Affected:Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento 2.1.14, Magento 2.2.5
Reporter:-
APPSEC-1993: IP Spoofing
Type:Privilege Escalation & Enumeration
CVSSv3 Severity:3.7 (Low)
Known Attacks:None
Description:

A vulnerability exists that permits the IP spoofing of a client’s address, which allows the potential bypassing of any security features that rely on identifying a client by their IP source.

Product(s) Affected:Magento Open Source prior to 1.9.3.9, and Magento Commerce prior to 1.14.3.9, Magento 2.1 prior to 2.1.14, Magento 2.2 prior to 2.2.5
Fixed In:Magento Open Source 1.9.3.9, Magento Commerce 1.14.3.9, SUPEE-10752, Magento 2.1.14, Magento 2.2.5
Reporter:driskell

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.