New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.0.4 Security Update

March 31, 2016

Magento Enterprise Edition and Community Edition 2.0.4 are now available.

We have replaced Magento Enterprise Edition and Community Edition 2.0.3 with Magento Enterprise Edition and Community Edition 2.0.4 to address a packaging issue. The new release includes all of the security enhancements and performance improvements of the 2.0.3 release.  You must download and install Magento Enterprise Edition or Community Edition 2.0.4 to ensure that you receive all security enhancements.

Magento Enterprise Edition and Community Edition 2.0.4 contain multiple security and functional enhancements. You can find more details about the vulnerabilities addressed below.

Merchants who have not previously downloaded a Magento 2.0 release should go straight to Magento Enterprise Edition or Community Edition 2.0.4.

Please refer to Security Best Practices for additional information how to secure your site.

To download the release, choose from the following options:

  • Partners:

Enterprise Edition 2.0.4 (New .zip file installations)

Partner Portal > My Account > Downloads  > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.4

Enterprise Edition 2.0.4 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Enterprise Edition 2.0.4 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

  • Enterprise Edition:

Enterprise Edition 2.0.4 (New .zip file installations)

My Account > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.4

Enterprise Edition 2.0.4 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Enterprise Edition 2.0.4 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

  • Community Edition:

Community Edition 2.0.4 (New .zip file installations)

Community Edition Download Page > Download Tab

 

Community Edition 2.0.4 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Community Edition 2.0.4 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Community Edition 2.0.4 (Developers contributing to the CE code base)

http://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html

APPSEC-1263 - Server-side cross-site scripting via user name
Type:Cross-Site Scripting (Stored)
CVSSv3 Severity:9.3 (Critical)
Known Attacks:None
Description:

During customer registration on the storefront, a malicious user can provide a user name that contains JavaScript code. Magento does not properly validate this name, and the JavaScript can be executed in Admin context when an administrator adds the user in the backend or runs a Reviews report. This code can steal the Administrator session or act on behalf of store administrator. This issue was partially fixed in Magento CE and EE 2.0.1, but additional cases were discovered and fixed.

Product(s) Affected:Magento CE and EE prior to 2.0.4
Fixed In:Magento CE and EE 2.0.4
Reporter:Patrick McManaman
APPSEC-1379 - Reflected cross-site scripting in Authorize.net module
Type:Cross-site scripting (Reflected)
CVSSv3 Severity:7.4 (High)
Known Attacks:None
Description:

Several parameters in the Authorize.net payment module are vulnerable to reflected Cross-Site Scripting (XSS) attacks. Existing protection against such malicious parameters is not enough to stop all types of attacks.

Product(s) Affected:Magento CE and EE prior to 2.0.4
Fixed In:Magento CE and EE 2.0.4
Reporter:Matthew Barry
APPSEC-1337 - Arbitrary PHP code execution using language packs
Type:Remote code execution
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

If an attacker can trick a user into installing a malicious language package or has access to an installed language package, he can remotely deploy an attack when the language-package code is executed.

Product(s) Affected:Magento CE and EE prior to 2.0.4
Fixed In:Magento CE and EE 2.0.4
Reporter:https://github.com/scholtz
APPSEC-1377 - API token access vulnerable to brute force attacks
Type:Brute Force / Insufficient Anti-automation
CVSSv3 Severity:5.9 (Medium)
Known Attacks:None
Description:

The Admin and Customer Token APIs do not set a limit for password guesses. This lack of limit creates an opportunity for brute force attempts to guess passwords, access Admin accounts, and Admin and Customer Token API credentials.

Product(s) Affected:Magento CE and EE prior to 2.0.4
Fixed In:Magento CE and EE 2.0.4
Reporter:https://github.com/PaulBoss
APPSEC-1378 - Web API allows anonymous access
Type:Information disclosure
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

Magento Web APIs allowed anonymous users to access information that a merchant might not want to expose,including information about products, promotions, and storefronts.  This fix changes the access permissions so that most APIs, other than those required for guest checkout and AJAX add-to-cart functionality, do not allow anonymous access by default. However, you can configure the web APIs to revert to their previous behavior.

Product(s) Affected:Magento CE and EE prior to 2.0.4
Fixed In:Magento CE and EE 2.0.4
Reporter:https://github.com/spotlerbob
APPSEC-1303 - Weak encryption keys when generated from Manage Encryption Keys page
Type:Insufficient Data Protection
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

Encryption keys that are generated in System > Manage Encryption Key are very weak; an attacker can easily recover them if he can access encrypted content. Encryption keys generated during installation are strong.

Product(s) Affected:Magento CE and EE prior to 2.0.4
Fixed In:Magento CE and EE 2.0.4
Reporter:Jan Moritz Lindemann

Be sure to implement and test the new version in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing a new release is AVAILABLE ONLINE.