New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-10570

February 27, 2018

SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.

NOTE:

Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue. Note, however, that this new patch no longer protects against two low risk session handling-related security issues that patch SUPEE-10570 protected against.

If you have not yet applied SUPEE-10570v1, do not apply it, but instead patch your store with SUPEE-10570v2. If you have already applied SUPEE-10570v1, please first uninstall SUPEE-10570v1, then install SUPEE-10570v2. All stores should be patched with SUPEE-10570v2 as Magento will use this patch as a base for future patch versions.

Note:

If the patch fails to apply while patching lib/Zend/Mail/Transport/Sendmail.php, it might mean your Magento installation was previously patched with SUPEE-9652v1 instead of SUPEE-9652v2. The recommended solution is to revert patch SUPEE-9652v1 and apply SUPEE-9652v2 prior to applying SUPEE-10570.

Information on all the changes in 1.14.3.8 and 1.9.3.8 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:

  • Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10570 or upgrade to Magento Commerce 1.14.3.8

  • Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10570 or upgrade to Magento Open Source 1.9.3.8

To download a patch or release, choose from the following options:

Partners:

Magento Commerce 1.14.3.8

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Version 1.x Releases > Version 1.14.3.8

SUPEE-10570

Partner Portal > Magento Commerce > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – February 2018 

Magento Commerce Merchants:

Magento Commerce 1.14.3.8

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Version
1.x Releases > Version 1.14.3.8

SUPEE-10570

My Account > Downloads Tab > Magento Commerce 1.X > Magento Commerce 1.x > Support and Security Patches > Security Patches > Security Patches – February 2018

Magento Open Source Merchants:

Magento Open Source 1.9.3.8

Magento Open Source Download Page > Release Archive Tab

SUPEE-10570

Magento Open Source Download Page > Release Archive Tab > Magento Open Source Patches - 1.x Section

 

APPSEC-1932: Remote Code Execution Using XML Injection
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (High)
Known Attacks:None
Description:

An administrator with limited privileges can insert injectable XML into the layout table, which can create an opportunity for remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter:Peter O'Callaghan
APPSEC-1938: Remote Code Execution - additional fix not included in SUPEE-9652
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (High)
Known Attacks:None
Description:

A user can insert information in a return path, thereby storing information on the file system that could lead to Remote Code Execution (RCE).

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter:Cipriano Groenendal
APPSEC-1964: Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import.
Type:Remote Code Execution (RCE)
CVSSv3 Severity:9.8 (High)
Known Attacks:None
Description:

An administrator with Import permissions can import an XML file that could potentially provide an opportunity for Remote Code Execution (RCE).

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter:Fabain
APPSEC-2000: Remote Code Execution in Staging Environment
Type:Remote Code Execution (RCE)
CVSSv3 Severity:7.2 (High)
Known Attacks:None
Description:

An administrator with limited privileges can inject a malformed configuration bypass, which could potentially lead to a file redirection that could be leveraged for arbitrary remote code execution.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter:Peter O'Callaghan
APPSEC-1994: Cross-Site Request Forgery in Store Backups
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:6.4 (Medium)
Known Attacks:None
Description:

An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Boskostan
APPSEC-1878/1890: Cross-site Scripting in CMS hierarchy
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.2.3
Reporter:Max Chadwick and Magecraze
APPSEC-1908/1948: Cross-site Scripting in Custom Variables
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Fixed In:Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Reporter:Magecraze
APPSEC-1916: Cross-site Scripting in Attribute Group Name
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the attribute group name field, which could potentially result in stored cross-site scripting that affects other administrators.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1928: Cross-site Scripting in Downloadable Products
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the downloadable product link title field, which could subsequently lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1945: Cross-site Scripting in Product SKU
Type:
CVSSv3 Severity:
Known Attacks:None
Description:

An administrator with limited privileges can insert script in the RMA SKU field, which could potentially result in a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Magecraze
APPSEC-1973: Cross-site Scripting in Newsletter Template
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can embed cross-site scripting elements in the Newsletter template, which could potentially lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Peter O'Callaghan
APPSEC-1873/1979/1980: Cross-site Scripting in Site Settings
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can embed cross-site scripting elements in the Website Name/Store View Name setting, which could potentially lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Max Chadwick and Peter O'Callaghan
APPSEC-1995: Cross-site Scripting in Downloadable Products
Type:Cross-site Scripting (XSS) - stored
CVSSv3 Severity:5.0 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can insert arbitrary code into product fields, which could potentially lead to a stored cross-site scripting attack.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Boskostan
APPSEC-1889: Cross-Site Request Forgery Protection Bypass
Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:4.9 (Medium)
Known Attacks:None
Description:

An administrator with limited privileges can craft a cross-site request to perform requests on behalf of another administrator.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Fabain
APPSEC-1553: Access to Gift Registries of Other Users
Type:Insecure Direct Object Reference (IDOR)
CVSSv3 Severity:4.8 (Medium)
Known Attacks:None
Description:

A user can view gift registries that do not belong to them.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Peter O'Callaghan
APPSEC-1026: Session Management (not included in SUPEE-10570v2)
Type:Session Management
CVSSv3 Severity:3.9 (Low)
Known Attacks:None
Description:

Active sessions persist after a password change.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570
Reporter:Vishnu_Vardhan_Reddy
APPSEC-1937: Insufficient privilege seperation
Type:Information Exposure
CVSSv3 Severity:3.9 (Low)
Known Attacks:None
Description:

Weak protection checking can potentially lead to privilege escalation or information disclosure.

Product(s) Affected:Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Peter O'Callaghan
APPSEC-1967/APPSEC-1972: Password Change Session Management (not included in SUPEE-10570v2)
Type:Session Management
CVSSv3 Severity:3.4 (Low)
Known Attacks:None
Description:

Magento did not previously terminate existing sessions when the currently logged-in user changed his or her password.

Product(s) Affected: Magento Open Source prior to 1.9.3.8, and Magento Commerce prior to 1.14.3.8, Magento 2.0 prior to 2.0.18, Magento 2.1 prior to 2.1.12, Magento 2.2 prior to 2.2.3
Fixed In:Magento Open Source 1.9.3.8, Magento Commerce 1.14.3.8, SUPEE-10570, Magento 2.0.18, Magento 2.1.12, Magento 2.2.3
Reporter:Internal

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.