New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.0.1 Security Update

January 20, 2016

Update – January 28, 2016

Today we are distributing new releases that resolve issues encountered by some users when upgrading Magento 2.0.0 and 2.0.1 products. The issues occur with products that were installed from a compressed archive (.tar.gz, .zip, and .bz2); merchants who used other installation options are not affected. Please note that there are no issues with the core Magento application or the security enhancements. More information is available in the detailed TECHNICAL BULLETIN.

Merchants who installed Magento 2.0.0 or 2.0.1 from a compressed archive should take the following actions:

  • Magento Enterprise Edition or Community Edition 2.0.0 or 2.0.1 with PHP5.6: Update the installer from the command line (e.g., “composer update magento/magento-composer-installer”). Once updated, use the Web Setup Wizard or command line to update your installation to Magento Enterprise Edition or Community Edition 2.0.2.

  • Magento Enterprise Edition or Community Edition 2.0.1 with PHP7.0.2: First deploy the MDVA-84 patch. Then update the installer from the command line (e.g., “composer update magento/magento-composer-installer”) and use the Web Setup Wizard or command line to update your installation to Magento Enterprise Edition or Community Edition 2.0.2.

Merchants who installed Magento 2.0.0 or 2.0.1 from composer and do not plan to user PHP7, DO NOT need to take any special actions when upgrading. However, those who wish to use PHP7.0.2+ must deploy the MDVA-84 patch.

Merchants who have yet to download Magento 2.0 should go straight to Magento Enterprise Edition or Community Edition 2.0.2.

The updates are available for download from the following locations:

  • Enterprise Edition:

Enterprise Edition 2.0.2 (New .zip file installations)

MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.2

Enterprise Edition 2.0.2 (New composer installations)

HTTP://DEVDOCS.MAGENTO.COM/GUIDES/V2.0/INSTALL-GDE/PREREQ/INTEGRATOR_INSTALL.HTML

Enterprise Edition 2.0.2 (Composer upgrades)

HTTP://DEVDOCS.MAGENTO.COM/GUIDES/V2.0/COMP-MGR/BK-COMPMAN-UPGRADE-GUIDE.HTML

Enterprise Edition 2.0.1 Patch (MDVA-84)

MY ACCOUNT > Downloads Tab > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Support Patches

 

  • Community Edition:

Community Edition 2.0.2 (New .zip file installations)

COMMUNITY EDITION DOWNLOAD PAGE > Download Tab

 

Community Edition 2.0.2 (New composer installations)

HTTP://DEVDOCS.MAGENTO.COM/GUIDES/V2.0/INSTALL-GDE/PREREQ/INTEGRATOR_INSTALL.HTML

Community Edition 2.0.2 (Composer upgrades)

HTTP://DEVDOCS.MAGENTO.COM/GUIDES/V2.0/COMP-MGR/BK-COMPMAN-UPGRADE-GUIDE.HTML

Community Edition 2.0.2 (Developers contributing to the CE code base)

HTTP://DEVDOCS.MAGENTO.COM/GUIDES/V2.0/INSTALL-GDE/INSTALL/CLI/DEV_OPTIONS.HTML

Enterprise Edition 2.0.1 Patch (MDVA-84)

COMMUNITY EDITION DOWNLOAD PAGE > Release Archive Tab > Magento Community Edition Patches – 2.x

Please make these updates as soon as possible to secure your site. 

January 20, 2016

Magento 2.0.1 contains multiple security and functional fixes. You can find more details on the vulnerabilities addressed by this release below:

XSS in backend via user name - APPSEC-1263
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:9.3 (Critical)
Known Attacks:None
Description:

During customer registration on the storefront, a user can provide a user name that contains JavaScript code. Magento does not properly validate this name and executes it in the Admin context when editing the user in the backend. This JavaScript code could potentially steal the administrator session or act on behalf of a store administrator.

Product(s) Affected:Magento 2 CE & EE prior to 2.0.1
Fixed In:CE & EE 2.0.1
Reporter:Patrick McManaman
Block cache exploit - APPSEC-1247
Type:Information Leakage
CVSSv3 Severity:7.7 (High)
Known Attacks:None
Description:

With access to any CMS functionality, a user with administrator permissions can use blocks to access information stored in cache. This information includes store configuration, encryption keys, and database connection details. In some cases, a user might be able to execute code.

Product(s) Affected:Magento 2 CE & EE prior to 2.0.1
Fixed In:CE & EE 2.0.1
Reporter:Peter O'Callaghan
Stored XSS in Order Comments - APPSEC-1239
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

A user can append comments to an order using a specially crafted request that relies upon the PayFlow Pro payment module. Magento does not filter the request properly, which potentially results in JavaScript code being saved in database (see issue APPSEC-1240) and then executed server-side when the administrator tries to view the order. This attack can lead to a takeover of the administrator session or executing actions on behalf of administrator.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Erik Wohllebe
SQL Injection via layered navigation
Type:SQL Injection - APPSEC-1294
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

You can manipulate query parameters to cause blind SQL injection. Blind SQL injection allows a user to test names or values of database fields, or to download the values of database fields in small chunks and, as a result, use multiple queries to download (but not modify) important parts of Magento database.

Product(s) Affected:Magento 2 CE & EE prior to 2.0.1
Fixed In:CE & EE 2.0.1
Reporter:Liam Tai-Hogan
Guest order view protection code vulnerable to brute-force attack - APPSEC-1270
Type:Information Leakage
CVSSv3 Severity:7.5
Known Attacks:None
Description:

The guest order view protection code makes it possible to access guest order information for some orders. (This is due to how the code is generated and compared with stored values.) While the attack cannot target a specific order or allow a user to view all orders, it can be used to extract order information from store.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Peter O'Callaghan
XSS in Product Custom Options - APPSEC-1267
Type:Cross-site Scripting (XSS) - Stored
CVSSv3 Severity:5.9 (Medium)
Known Attacks:None
Description:

When using products with custom option for file upload, a user can upload a file with a file name that contains JavaScript code. This code could be executed in the Admin Panel context by editing the quote that contains the product, allowing both for the takeover of an administrator session or for an unauthorized user to execute malicious actions on behalf of an administrator.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Erik Wohllebe
Editing or Deleting Reviews without permission - APPSEC-1268
Type:Insufficient Data Protection
CVSSv3 Severity:5.4 (Medium)
Known Attacks:None
Description:

Insufficient verification of request parameters allows any user to delete or edit product reviews. The edited reviews are returned to a pending state. This attack does not depend on setting allowing guest users to post reviews. As a result, a malicious user could access the store for spamming purposes or delete all reviews from store.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Peter O'Callaghan
CAPTCHA Bypass - APPSEC-1283
Type:Brute Force (Generic) / Insufficient Anti-automation
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

A user can bypass CAPTCHA validation on the Magento frontend, which enables unrestricted password guessing attempts. Even with CAPTCHA protection enabled, this increases the risk of spam or password guessing attacks on customer accounts.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Erik Wohllebe
Reflected XSS with cookie header - APPSEC-1255
Type:Cross-site Scripting (XSS) - Reflected
CVSSv3 Severity:4.7 (Medium)
Known Attacks:None
Description:

Magento sends an unfiltered form key cookie value to the web server as part of the request, and the cookie value is reflected back as part of the form. Reflected XSS issues can lead to attacks in which a trusted site is used in phishing or spam campaigns (for example, redirecting a user to a phishing site).

Product(s) Affected:Magento 2 CE & EE prior to 2.0.1
Fixed In:CE & EE 2.0.1
Reporter:Internal
CSRF Delete Items from Cart - APPSEC-1212
Type:Cross-site Request Forgery (CSRF)
CVSSv3 Severity:4.3 (Medium)
Known Attacks:None
Description:

Magento does not validate the form key when deleting items from the shopping cart using a GET request. As a result, a user could use phishing emails or other malicious attacks to trick a customer into deleting items from his cart.

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Shabad Shashidar Reddy
Injected code can be stored in database - APPSEC-1240
Type:Improper Input Handling
CVSSv3 Severity:0 (Low)
Known Attacks:None
Description:

JavaScript code that is passed using the Payflow Pro payment module is not sanitized but is saved to the database. This issue by itself is not a security risk. (This issue is related to APPSEC-1239.)

Product(s) Affected:Magento CE prior to 1.9.2.3, and Magento EE prior to 1.14.2.3; Magento 2 CE & EE prior to 2.0.1
Fixed In:CE 1.9.2.3, EE 1.14.2.3, CE & EE 2.0.1
Reporter:Internal
Incorrect filter - APPSEC-1282
Type:Improper Input Handling
CVSSv3 Severity:0 (Low)
Known Attacks:None
Description:

A user can easily bypass the MaliciousCode filter function when entering HTML code. However, Magento rarely uses this filter, and none of its current usages allow unauthenticated user input.

Product(s) Affected:Magento 2 CE & EE prior to 2.0.1
Fixed In:CE & EE 2.0.1
Reporter:Peter O'Callaghan

Please refer to Security Best Practices for additional information how to secure your site.

To download the release, choose from the following options:

Partners:

  • Enterprise Edition 2.0.1 (New Installations): Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release and look for the folder titled "Version 2.0.1".

  • Enterprise Edition 2.0.1 (Upgrade an Existing Installation): Follow the UPGRADE GUIDE.

Enterprise Edition Merchants:

  • Enterprise Edition 2.0.1 (New Installations): Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release. Look for the folder titled “Version 2.0.1.”

  • Enterprise Edition 2.0.1 (Upgrade an Existing Installation): Follow the UPGRADE GUIDE.

Community Edition Merchants:

  • Community Edition 2.0.1 (New Installations): Go to Downloads Page.

  • Community Edition 2.0.1 (Upgrade an Existing Installation): Follow the UPGRADE GUIDE.

  • Community Edition 2.0.1 (Developers Contributing Code to the CE Code Base): Follow the DEVELOPER UPGRADE GUIDE.

Be sure to implement and test the new version in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing a new release is available online.