New Security Update

Install critical updates for Magento 1.x and Magento 2.x versions

SUPEE-9652

February 6, 2017

SUPEE-9652, Enterprise Edition 1.14.3.2 and Community Edition 1.9.3.2 address the Zend library vulnerability described below.

Information on all the changes in 1.14.3.2 and 1.9.3.2 releases is available in the Enterprise Edition and Community Edition release notes.

Patches and upgrades are available for the following Magento versions:

  • Enterprise Edition 1.9.0.0-1.14.3.1: SUPEE-9652 or upgrade to Enterprise Edition 1.14.3.2

  • Community Edition 1.5.0.1-1.9.3.1: SUPEE-9652 or upgrade to Community Edition 1.9.3.2

To download a patch or release, choose from the following options:

Partners:

Enterprise Edition 1.14.3.2

Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3.2

SUPEE-9652

Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – February 2017 

Enterprise Edition Merchants:

Enterprise Edition 1.14.3.2

My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version
1.x Releases > Version 1.14.3.2

SUPEE-9652

My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – Februrary 2017

Community Edition Merchants:

Community Edition 1.9.3.2

Community Edition Download Page > Release Archive Tab

SUPEE-9652

Community Edition Download Page > Release Archive Tab > Magento Community Edition Patches - 1.x Section

 

APPSEC-1746 - Remote Code Execution using mail vulnerability
Type:Remote code execution (RCE)
CVSSv3 Severity:9.8 (Critical)
Known Attacks:None
Description:

Zend Framework 1 vulnerability can be remotely exploited to execute code in Magento 1. While the issue is not reproducible in Magento 2, the library code is the same so it was fixed as well.

Note: while the vulnerability is scored as critical, few systems are affected. To be affected by the vulnerability the installation has to:

- use sendmail as the mail transport agent

- have specific, non-default configuration settings as described here.

Product(s) Affected:Magento Community Edition prior to 1.9.3.2, and Magento Enterprise Edition prior to 1.14.3.2, Magento 2.1 versions prior to 2.1.4 and Magento 2.0 versions prior to 2.0.12
Fixed In:Community Edition 1.9.3.2, Enterprise Edition 1.14.3.2, SUPEE-9652, Magento 2.1.4, Magento 2.0.12
Reporter:natmchugh

Please refer to Security Best Practices for additional information on how to secure your site.

Be sure to implement and test the patch in a development environment first to confirm that it works as expected before deploying it to a production site.