New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

MAGENTO 2.2.1, 2.1.10 AND 2.0.17 SECURITY UPDATE

November 7, 2017

Magento Commerce and Open Source 2.2.1, 2.1.10 and 2.0.17 contain multiple security enhancements that help close Cross-Site Scripting (XSS), Local File Inclusion (LFI), authenticated Admin user remote code execution (RCE) and Arbitrary File Delete vulnerabilities. 

Merchants who have not previously downloaded a Magento 2 release should go straight to Magento Commerce or Open Source 2.2.1.

Please refer to Security Best Practices for additional information how to secure your site.

To download the releases, choose from the following options:

Partners:

Magento Commerce 2.2.1 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.1

Magento Commerce 2.1.10 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.10

Magento Commerce 2.0.17 (New .zip file installations)

Partner Portal > Downloads  > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.0.17

Magento Commerce 2.2.1, 2.1.10 and 2.0.17 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Magento Commerce 2.2.1, 2.1.10 and 2.0.17 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Magento Commerce:

Magento Commerce 2.2.1 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.2.1

Magento Commerce 2.1.10 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.1.10

Magento Commerce 2.0.17 (New .zip file installations)

My Account > Downloads > Magento Commerce 2.X > Magento Commerce 2.x Release > Version 2.0.17

Magento Commerce 2.2.1, 2.1.10 and 2.0.17 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Magento Commerce 2.2.1, 2.1.10 and 2.0.17 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source:

Magento Open Source 2.2.1, 2.1.10 and 2.0.17 (New .zip file installations)

Magento Open Source Download Page > Download Tab

Magento Open Source 2.2.1, 2.1.10 and 2.0.17 (New composer installations)

https://devdocs.magento.com/guides/v2.0/install-gde/prereq/integrator_install.html

Magento Open Source 2.2.1, 2.1.10 and 2.0.17 (Composer upgrades)

https://devdocs.magento.com/guides/v2.0/comp-mgr/bk-compman-upgrade-guide.html

Magento Open Source 2.2.1, 2.1.10 and 2.0.17 (Developers contributing to the Open Source code base)

https://devdocs.magento.com/guides/v2.0/install-gde/install/cli/dev_options.html

APPSEC-1325: Stored XSS in Billing Agreements
Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:5.5 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can create Billing Agreements with embedded cross-site scripting elements that can subsequently lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:pocallaghan
APPSEC-1825: PHP Object Injection in E-mail templates leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges  can insert malicious code in e-mail templates, creating an opportunity for arbitrary remote code execution.

Product(s) Affected:Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:jazzy2fives
APPSEC-1830: PHP Object Injection in product attributes leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges  can insert injectable code in product attributes, potentially leading to arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:fabian
APPSEC-1861: PHP Object Injection in product entries leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges  can insert injectable code in promo fields, creating an opportunity for arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.7, and Magento Commerce prior to 1.14.3.7, Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento Open Source 1.9.3.7, Magento Commerce 1.14.3.7, SUPEE-10415, Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:fabian
APPSEC-1881: PHP Object Injection in Downloadable Products leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:7.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges can create a downloadable product that can create an opportunity for arbitrary code execution.

Product(s) Affected:Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:mortis
APPSEC-1893: PHP Object Injection in product metadata leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges can insert injectable code in the swatches feature, creating an opportunity for arbitrary remote code execution.

Product(s) Affected:Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10
Fixed In:Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:convenient
APPSEC-1900: Remote Code Execution by leveraging 1st stage unsanitized form input
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges can create a store website that can accept and run arbitrary remote code execution.

Product(s) Affected:Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:magecraze
APPSEC-1910: Local File Inclusion (LFI) in Import History
Type:Local File Inclusion + Potential RCE
CVSSv3 Severity:6.1 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can delete critical system control files to subsequently gain privilege escalation through the Import History section.

Product(s) Affected:Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10, Magento 2.2
Fixed In:Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:magecraze
APPSEC-1930: PHP Object Injection in Widgets leading to Remote Code Execution
Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges  can insert a widget block containing malicious code, creating an opportunity for  arbitrary remote code execution.

Product(s) Affected:Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10
Fixed In:Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:mortis
APPSEC-1931: PHP Object Injection in Zend Framework leading to Arbitrary File Deletion
Type:Arbitrary File Delete
CVSSv3 Severity:7.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges can inject malicious code that can cause sensitive files to be deleted. He could then  launch a second stage payload that would lead to arbitrary remote code execution.

Product(s) Affected:Magento 2.0 prior to 2.0.17, Magento 2.1 prior to 2.1.10
Fixed In:Magento 2.0.17, Magento 2.1.10, Magento 2.2.1
Reporter:mortis