New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

Magento 2.0.6 Security Update

May 17, 2016

by: Piotr Kaminski,
Magento Security Team

Magento Enterprise Edition and Community Edition 2.0.6 are now available.

Magento Enterprise Edition and Community Edition 2.0.6 contain multiple security and functional enhancements. You can find more details about the vulnerabilities addressed below.

Merchants who have not previously downloaded a Magento 2.0 release should go straight to Magento Enterprise Edition or Community Edition 2.0.6.

Please refer to Security Best Practices for additional information how to secure your site.

To download the release, choose from the following options:

  • Partners:

Enterprise Edition 2.0.6 (New .zip file installations)

Partner Portal > Downloads  > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.6

Enterprise Edition 2.0.6 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Enterprise Edition 2.0.6 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

  • Enterprise Edition:

Enterprise Edition 2.0.6 (New .zip file installations)

My Account > Downloads > Magento Enterprise Edition 2.X > Magento Enterprise Edition 2.x Release > Version 2.0.6

Enterprise Edition 2.0.6 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Enterprise Edition 2.0.6 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

  • Community Edition:

Community Edition 2.0.6 (New .zip file installations)

Community Edition Download Page > Download Tab

 

Community Edition 2.0.6 (New composer installations)

http://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Community Edition 2.0.6 (Composer upgrades)

http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Community Edition 2.0.6 (Developers contributing to the CE code base)

http://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html

APPSEC-1420 - Unauthenticated remote code execution via API
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (Critical)
Known Attacks:None
Description:

Magento no longer permits an unauthenticated user to remotely execute code on the server through APIs. Previously, an unauthenticated user could remotely execute PHP code on the server using either REST or SOAP APIs. (These APIs are enabled by default in most installations.)

Product(s) Affected:Magento CE and EE 2.0.6
Fixed In:Magento CE and EE 2.0.6
Reporter:Netanel Rubin
APPSEC-1421 - Unauthenticated reinstallation leading to remote code execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (Critical)
Known Attacks:None
Description:

The Magento installation code is no longer accessible once the installation process has completed. Previously, an unauthenticated user or user with minimal permissions could execute PHP code on the server because the installation process would leave the /app/etc directory writeable, and many administrators would not change the permissions on this directory after installation. (During installation, the system requires the /app/etc directory to be writeable.)

 

Product(s) Affected:Magento CE and EE prior to 2.0.6
Fixed In:Magento CE and EE 2.0.6
Reporter:Netanel Rubin
APPSEC-1422 - Customer account takeover
Type:Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity:7.5 (High)
Known Attacks:None
Description:

Magento no longer allows authenticated customers to change other customers' account information using either SOAP or REST calls.  Magento  now confirms that the ID of the customer whose account is being edited matches the authentication token in use. Previously, a malicious user could hijack a customer account by logging in as an authenticated user, then editing the account of any other user.  (The SOAP and REST APIs are enabled by default in most installations.)

Product(s) Affected:Magento CE and EE prior to 2.0.6
Fixed In:Magento CE and EE 2.0.6
Reporter:Netanel Rubin
APPSEC-1410 - Reflected cross-site scripting in Authorize.net module
Type:Cross-site scripting (Reflected)
CVSSv3 Severity:7.4 (High)
Known Attacks:None
Description:

Several parameters in the Authorize.net payment module are vulnerable to reflected Cross-Site Scripting (XSS) attacks. Existing protection against such malicious parameters is not enough to stop all types of attacks.

Product(s) Affected:Magento CE and EE prior to 2.0.6
Fixed In:Magento CE and EE 2.0.6
Reporter:Matthew Barry
APPSEC-1408 - Data privacy issues in APIs
Type:Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

Anonymous users can no longer retrieve the private data of registered customers. To prevent malicious attacks of this type, the quote_id_mask table of the Quote API no longer includes a cart_id_mask value.

Only a registered customer can assign a guest cart to himself. Previously, an anonymous user could modify the state  (that is, set an active quote) of a registered customer.

Product(s) Affected:Magento CE and EE prior to 2.0.6
Fixed In:Magento CE and EE 2.0.6
Reporter:Magento Community
APPSEC-1389 - Application information disclosure
Type:Information disclosure (Internal)
CVSSv3 Severity:5.3 (Medium)
Known Attacks:None
Description:

Application error messages no longer include the path to the file where the error occurred. Previously, when an unhandled exception occurred,  Magento would display an error message that could disclose sensitive information such as the location of the file that produced the unhandled exception. A malicious user could use this information to launch attacks against the application.

Product(s) Affected:Magento CE and EE prior to 2.0.6
Fixed In:Magento CE and EE 2.0.6
Reporter:Internal

Be sure to implement and test the new version in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing a new release is AVAILABLE ONLINE (http://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html).