New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.0.14 and 2.1.7 Security Update

May 31, 2017

Magento Enterprise Edition and Community Edition 2.0.14 and 2.1.7 contain multiple security enhancements. More information about these issues is provided below.

Merchants who have not previously downloaded a Magento 2.0 release should go straight to Magento Enterprise Edition or Community Edition 2.1.7.

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Enterprise Edition 2.1.7 (New .zip file installations)

Partner Portal > Downloads  > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.1.7

Enterprise Edition 2.0.14 (New .zip file installations)

Partner Portal > Downloads  > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.14

Enterprise Edition 2.1.7 and 2.0.14 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Enterprise Edition 2.1.7 and 2.0.14 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Enterprise Edition:

Enterprise Edition 2.1.7 (New .zip file installations)

My Account > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.1.7

Enterprise Edition 2.0.14 (New .zip file installations)

My Account > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.14

Enterprise Edition 2.1.7 and 2.0.14 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Enterprise Edition 2.1.7 and 2.0.14 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Community Edition:

Community Edition 2.1.7 and 2.0.14 (New .zip file installations)

Community Edition Download Page > Download Tab

Community Edition 2.1.7 and 2.0.14 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Community Edition 2.1.7 and 2.0.14 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Community Edition 2.1.7 and 2.0.14 (Developers contributing to the CE code base)

https://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html

APPSEC-1686: Remote Code Execution in the Admin panel
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.8 (High)
Known Attacks:None
Description:

Store administrators with access to CMS functionality can remotely execute code.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7, Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In:Magento CE and EE 2.0.14/2.1.7, CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter:Fabain
APPSEC-1626: RCE in video upload
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.8 (High)
Known Attacks:None
Description:

Video upload functionality in the admin panel allows attacker with admin access to scan internal network for open ports/servers and in some configurations to upload executable PHP files.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:anishnath/bosko
APPSEC-1746: Zend Mail vulnerability - continued
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.1 (High)
Known Attacks:None
Description:

The vulnerability was fixed in version 2.0.12/2.1.4 but an use case was discovered that could be used to skip the implemented protection. The issue is not directly exploitable in Magento 2.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1565: Customer password hash exposed in admin
Type:Information Leak
CVSSv3 Severity:4.3 (Medium)
Known Attacks:None
Description:

When editing customer information in admin, customer's password hash is leaked to the page.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1559: Possible remote code execution in email reminders
Type:Remote-Code Execution (RCE)
CVSSv3 Severity:8.8 (High)
Known Attacks:None
Description:

It's possible to instantiate objects in parts of email reminder functionality. While no exploit is know of this issue, it can lead to remote code execution for authorized admins.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1752: Stored XSS in admin panel
Type:Cross-Site Scripting (XSS, Stored)
CVSSv3 Severity:8.0 (High)
Known Attacks:None
Description:

Customer information entered in admin is not properly escaped. This allows lower level admins to possibly attack other administrators. To exploit this issue, admin access is required.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1699: API tokens not invalidated after disabling admin user
Type:Access Control
CVSSv3 Severity:6.8 (Medium)
Known Attacks:None
Description:

API tokens are not invalidated after disabling the admin user, which can lead to continued attacks or unauthorized actions.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1632: Password shown in action log (EE only)
Type:Information Leak
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

Some actions performed by store administrators might generate admin action log that includes the administrator password in plain text. This issue only affects Magento Enterprise Edition.

Product(s) Affected:Magento EE prior to 2.0.14/2.1.7
Fixed In:Magento EE 2.0.14/2.1.7
Reporter:Kotosy
APPSEC-1663: Mass actions do not follow ACL
Type:Access Control/Privilege Escalation
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

Some mass actions do not check for permissions, allowing low level administrators to perform unauthorized actions.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1661: UI controllers do not follow ACL
Type:Access Control/Privilege Escalation
CVSSv3 Severity:6.5 (Medium)
Known Attacks:None
Description:

Some UI controllers do not check ACL properly, allowing low level administrators extract data they are not authorized to see.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1679: APIs vulnerable to CSRF
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

Some customer authenticated APIs are vulnerable to CSRF, allowing phishing attacks.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1610: Custom admin path disclosure
Type:Information Leak
CVSSv3 Severity:5.3 (Low)
Known Attacks:None
Description:

Payments module can disclose custom admin path location. While not a security exploit in itself, can make it easier to perform password guessing and other attacks.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:MBarry
APPSEC-1666: Information leak
Type:Information Leak
CVSSv3 Severity:4.3 (Medium)
Known Attacks:None
Description:

Some of the requests returned by AJAX calls in the admin panel contain unnecessary configuration information that might expose sensitive system information.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7
Fixed In:Magento CE and EE 2.0.14/2.1.7
Reporter:Internal
APPSEC-1659: Vulnerabilities in JavaScript libraries
Type:Misc Vulnerabilities
CVSSv3 Severity:0 (None)
Known Attacks:None
Description:

Magento uses versions of JavaScript libraries with known security vulnerabilities. Magento does not use the vulnerable functionality, and no Magento-specific attack vector has been found. However, out of caution, we’ve updated the JavaScript libraries in question to the latest versions.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7, Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In:Magento CE and EE 2.0.14/2.1.7, CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter:Internal
APPSEC-1622: Incorrect routing of requests
Type:Abuse of Functionality
CVSSv3 Severity:0 (None)
Known Attacks:None
Description:

Incorrect request routing can enable the bypassing of web server protections, which in turn provides potentially malicious users access to the server.

Product(s) Affected:Magento CE and EE prior to 2.0.14/2.1.7, Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Fixed In:Magento CE and EE 2.0.14/2.1.7, CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767
Reporter:Internal

Be sure to implement and test the new version in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing a new release is AVAILABLE ONLINE (http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html).