February 19, 2015
This patch addresses a specific remote code execution (RCE) vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store. To determine if your store has been patched, see the Shoplift Bug Test. If your store is not protected, you must immediately download and install the appropriate patch for your version of Magento.
You can find more details on the vulnerability addressed by this patch below:
|Remote code execution - APPSEC-921|
|Type:||Remote Code Execution|
|CVSSv3 Severity:||9.1 (Critical)|
Authentication bypass uses special parameter that allows the execution of Admin action. The Admin action is vulnerable to SQL injection, which allows code to be inserted into the database and executed. As a result, the store can be fully compromised by creating counterfeit administrator accounts and/or installing malware on the server.
|Product(s) Affected:||Magento CE prior to 126.96.36.199, and Magento EE prior to 188.8.131.52.|
|Fixed In:||CE 184.108.40.206|
To download the patch, choose from the following options:
Partners: Go to the Partner Portal, select Technical Resources and then select Download from the Enterprise Edition panel. Next, navigate to Magento Enterprise Edition > Patches & Support and look for the folder titled "Security Patches – Februrary 2015."
Enterprise Edition Merchants: Go to My Account, select the Downloads tab, and then navigate to Magento Enterprise Edition > Support Patches. Look for the folder titled “Security Patches – February 2015.” Merchants can also upgrade to the latest version of the Enterprise Edition and receive the security fixes as part of the core code.
Community Edition Merchants: Patches for earlier versions of Community Edition can be found on the Community Edition download page (look for SUPEE-5344). Merchants can also upgrade today to to the latest version of the Community Edition and receive the security fixes as part of the core code.
Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site. Information about installing patches for Magento Enterprise Edition and Magento Community Edition is available online.