New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.0.10 and 2.1.2 Security Update

October 11, 2016

by: Piotr Kaminski,
Magento Security Team

Magento Enterprise Edition and Community Edition 2.0.10 and 2.1.2 contain multiple security enhancements to address a Zend Framework vulnerability, prevent unauthorized users from backing up Magento files, and ensure sessions are invalidated after a user logs out. More information about these issues is provided below.

Merchants who have not previously downloaded a Magento 2.0 release should go straight to Magento Enterprise Edition or Community Edition 2.0.6.

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Enterprise Edition 2.1.2 (New .zip file installations)

Partner Portal > Downloads  > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.1.2

Enterprise Edition 2.0.10 (New .zip file installations)

Partner Portal > Downloads  > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.10

Enterprise Edition 2.1.2 and 2.0.10 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Enterprise Edition 2.1.2 and 2.0.10 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Enterprise Edition:

Enterprise Edition 2.1.2 (New .zip file installations)

My Account > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.1.2

Enterprise Edition 2.0.10 (New .zip file installations)

My Account > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.10

Enterprise Edition 2.1.2 and 2.0.10 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Enterprise Edition 2.1.2 and 2.0.10 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Community Edition:

Community Edition 2.1.2 and 2.0.10 (New .zip file installations)

Community Edition Download Page > Download Tab

Community Edition 2.1.2 and 2.0.10 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Community Edition 2.1.2 and 2.0.10 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Community Edition 2.1.2 and 2.0.10 (Developers contributing to the CE code base)

http://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html

APPSEC-1484 - Remote Code Execution in checkout
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (Critical)
Known Attacks:None
Description:

With some payment methods, users can execute malicious PHP code during checkout.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Peter O'Callaghan
APPSEC-1480 - SQL injection in Zend Framework
Type:SQL Injection/Improper validation
CVSSv3 Severity:9.1 (Critical)
Known Attacks:None
Description:

A bug in Zend Framework value escaping allows a malicious user to inject SQL through the ordering or grouping parameters. While there are no known frontend entry point vulnerabilities that would allow for a full SQL injection, we’ve found an entry point in the Magento Admin panel, and other entry points most likely exist.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Peter O'Callaghan
APPSEC-1503 - Stored Cross-Site Scripting in email templates
Type:Cross-Site Scripting (XSS) - Stored
CVSSv3 Severity:8.7 (High)
Known Attacks:None
Description:

It is possible to store malicious code in email templates that will be executed when the templates are previewed.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:vishwaraj
APPSEC-1488 - Stored XSS in invitations
Type:Cross-Site Scripting (XSS) - Stored
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

It is possible to use the Magento Enterprise Edition invitations feature to insert malicious JavaScript that might be executed in the admin context.

Product(s) Affected:Magento EE prior to 2.0.10/2.1.2
Fixed In:Magento EE 2.0.10/2.1.2
Reporter:Peter O'Callaghan
APPSEC-1533 - Order item with altered price
Type:Improper input validation
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

It is possible to alter product price by manipulating parameters and completing checkout with the altered price.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Ivan Weiler
APPSEC-1270 - Guest order view protection code vulnerable to brute-force attack
Type:Information Disclosure - personal
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

The design of the guest order view protection makes it possible to access guest order information for particular orders. Although a user cannot target a specific order in the attack, or view all orders, he can use it to extract some order information from a store.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Peter O'Callaghan
APPSEC-1539 - Cross-Site Scripting in section loading
Type:Cross-Site Scripting (XSS) - Reflected
CVSSv3 Severity:7.2 (High)
Known Attacks:None
Description:

It is possible to inject malicious JavaScript code when loading the content section of a request. Note: There is a low risk of this type of attack as the server should not execute code that contains incompatible content types.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Support Customer
APPSEC-1433 - Unauthorized removal of customer address
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

It is possible to trick a user into deleting his store address book entries.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Vishwaraj Bhattrai
APPSEC-1338 - Full Page Cache poisoning
Type:Cache Poisoning
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

It is possible to manipulate the full page cache to store incorrect pages under regular page URL entries.

Product(s) Affected:Magento EE prior to 2.0.10/2.1.2
Fixed In:Magento EE 2.0.10/2.1.2
Reporter:Peter O'Callaghan
APPSEC-1329 - Information disclosure in maintenance mode
Type:Information disclosure
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

When a store is in maintenance mode, it can expose internal files.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Branko Ajzele
APPSEC-1490 - Local file inclusion
Type:Local file inclusion
CVSSv3 Severity:4.9 (Medium)
Known Attacks:None
Description:

A user with lesser privileges can store system files in a publicly accessible media folder. These files can be retrieved later by any user.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Subnet
APPSEC-1543 - Removal of currently logged-in administrator
Type:Incorrect escaping/Cross-Site Request Forgery
CVSSv3 Severity:4.9 (Medium)
Known Attacks:Medium
Description:

It is possible to provide a parameter that results in the deletion of the currently logged-in user. If form key functionality is turned off, a malicious user can create a CSRF attack to delete the Admin user.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:TBD
APPSEC-1212 - CSRF delete items from mini cart
Type:Cross-Site Request Forgery
CVSSv3 Severity:4.3 (Medium)
Known Attacks:None
Description:

Magento does not validate the form key when deleting items from the mini cart using a GET request. As a result, it is possible to trick a customer into deleting items from his cart using phishing emails or other link-hiding/obfuscation techniques.

Product(s) Affected:Magento CE and EE prior to 2.0.10
Fixed In:Magento CE and EE 2.0.10
Reporter:Internal
APPSEC-1478 - Session does not expire on logout
Type:Insufficient Session Expiration
CVSSv3 Severity:4.2 (Medium)
Known Attacks:None
Description:

Sessions do not expire after logout, making it possible to steal session cookies and access the customer’s account. This risk primarily occurs when users share a computer to access the site.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:Mahmoud Osama
APPSEC-1481 - Admin users can create backups regardless of privileges
Type:Cross-site request forgery (CSRF)
CVSSv3 Severity:4.1 (Medium)
Known Attacks:None
Description:

Lack of CSRF protection and privilege check allows any Admin user to create a backup of the system. An Admin user can be tricked into clicking on a phishing form that creates a backup, or an Admin user with lesser privileges can access this functionality. This attack has a low risk because creating a backup in itself does not harm the installation.

Product(s) Affected:Magento CE and EE prior to 2.0.10/2.1.2
Fixed In:Magento CE and EE 2.0.10/2.1.2
Reporter:VN-49-D1

Be sure to implement and test the new version in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing a new release is AVAILABLE ONLINE (http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html).