The latest Magento Patch, SUPEE-9767, Community Edition 1.9.3.3, and Enterprise Edition 1.14.3.3 address to eliminate security vulnerabilities.

Important Note

Implement and test the patch to confirm it works according to the expectations before deploying it to a live site. This security and human error can cause massive loss. You can get further assistance on Magento Security here.

Before Installing Patch Or Update the Version

Disable Symlinks setting by navigating to:

  • Systems > Configuration > Advanced > Developer > Enable Symlinks

Why disable Symlinks?

If these settings will be enabled, it will override configuration file setting and if we change, it would require direct database modification.

You can download the patches/updates if you have:

  • Enterprise Edition 1.9.0.0-1.14.3.2: SUPEE-9767 or upgrade to Enterprise Edition 1.14.3.3
  • Community Edition 1.5.0.1-1.9.3.2: SUPEE-9767 or upgrade to Community Edition 1.9.3.3

Options Available For Downloading Patch/Update

Partners:

 

Enterprise Edition 1.14.3.3Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3.3
SUPEE-9767Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – May 2017

Enterprise Edition Merchants:

 

Enterprise Edition 1.14.3.3My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version

1.x Releases > Version 1.14.3.3

SUPEE-9767My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – May 2017

 

Community Edition Merchants:

 

Community Edition 1.9.3.3Community Edition Community Edition Download Page > Release Archive Tab
SUPEE-9767Community Edition Download Page > Release Archive Tab > Magento Community Edition Patches – 1.x Section

1) APPSEC-1281: Remote code execution through symlinks

 

Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.8 (High)
Familiar AttacksAttackers can disable a configuration protection after gaining admin access and upload malicious code.

 

How does attack happen?Using AllowSymlinks option in configuration settings can enable the upload of an image containing malicious code.

Even though this option is disabled by default, an attacker with access to store configuration settings can enable and execute code.

Editions AffectedMagento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched InCE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

2) APPSEC-1777: Remote Code Execution in DataFlow

 

Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.8 (High)
Familiar Attacks
How does attack happen?Magento administrators having access to DataFlow functionality can use it to upload and execute arbitrary code.
Editions AffectedMagento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched InCE 1.9.3.3, EE 1.14.3.3, SUPEE-9767


3) APPSEC-1686: Remote Code Execution in the Admin panel

 

Type:Remote Code Execution (RCE)
CVSSv3 Severity:8.8 (High)
Familiar AttacksNone
How does attack happen?Store administrators with access to CMS functionality can remotely execute code.
Editions AffectedMagento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Patched InCE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7

 

4. APPSEC-1320: SQL injection in Visual Merchandiser (Enterprise Edition)

 

Type:SQL Injection
CVSSv3 Severity:8.8 (High)
Familiar AttacksNone
How does attack happen?The Visual Merchandiser contains an SQL injection vulnerability that can potentially allow a user with Admin privileges to directly edit the database.
Editions AffectedMagento EE prior to 1.14.3.3
Patched InEE 1.14.3.3, SUPEE-9767

 

5. APPSEC-1634: XSS in data fields

 

Type:Cross-Site Scripting (XSS, Reflected)
CVSSv3 Severity:8.7 (High)
Familiar AttacksNone
How does attack happen?Some Admin tables do not filter data, which provides an inadvertent opening for reflected cross-site scripting attacks.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched InCE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

6. APPSEC-1759: XSS in Admin panel configuration

 

Type:Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:8.1 (High)
Familiar AttacksNone
How does Attack happen?A Magento administrator with access to configuration settings can enter a malicious code that can be executed on other Admin panel pages.
Editions AffectedMagento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched InCE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

7. APPSEC-1549: CSRF after logout – form key not invalidated

 

Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:8.0 (High)
Familiar AttacksNone
How does Attack happen?Magento does not invalidate form keys on logout, which potentially allows an attacker to execute commands as administrator after the admin logs out.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

8. APPSEC-1693: Bypassing ACLs in store configuration permissions

 

Type:Privilege Escalation
CVSSv3 Severity:6.5 (Medium)
Familiar AttacksNone
How does Attack happen?Administrators with limited permission to modify configuration settings can also edit PayPal or payment configuration settings despite the lack of explicit permissions.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

9. APPSEC-1677: Local File Disclosure for admin users with access to data flow

 

Type:Information Leak (system)
CVSSv3 Severity:6.5 (Medium)
Familiar AttacksNone
How does Attack happen?An authenticated administrator can use DataFlow to exfiltrate system files.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

10. APPSEC-1546: CSRF Vulnerability in Checkout feature

 

Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:6.1 (Medium)
Familiar AttacksNone
How does Attack happen?Checkout functionality is vulnerable to cross-site request forgery attacks. These types of attacks are typically executed by phishing emails or pages that allow attackers to modify or harvest payment details.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

11. APPSEC-1597: Potential for username enumeration

 

Type:Insufficient Data Protection
CVSSv3 Severity:5.3 (Medium)
Familiar AttacksNone
How does Attack happen?When a user tries to log in using an invalid username or password, the Magento authentication mechanism responds with a message that indicates whether the username is valid. A malicious user can use this information to build a list of registered users.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

12. APPSEC-1695: CSRF cache management

 

Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:4.7 (Medium)
Familiar AttacksNone
How does Attack happen?Vulnerabilities in session cache management may provide an opening for a cross-site request forgery attack. These types of attacks can include malicious clearing of session data.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

13. APPSEC-1324: Customer passwords exposed in logs

 

Type:Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity:4.4 (Medium)
Familiar AttacksNone
How does Attack happen?In certain configurations, and depending on previous customer actions, a log-in action can generate an exception. Magento logs this exception, which may contain customer passwords, on the server.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

14. APPSEC-1675: Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites

 

Type:Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:3.4 (Low)
Familiar AttacksNone
How does Attack happen?The Magento EE private sale invites feature is not protected against cross-site request forgery attacks. This vulnerability potentially allows an attacker to invite himself to/register on a restricted access site.
Editions Affected:Magento EE prior to 1.14.3.3
Patched In:EE 1.14.3.3, SUPEE-9767

15. APPSEC-1659: Vulnerabilities in JavaScript libraries

 

Type:Misc Vulnerabilities
CVSSv3 Severity:0 (Low)
Familiar AttacksNone
How does Attack happen?Magento uses versions of JavaScript libraries with known security vulnerabilities. Magento does not use the vulnerable functionality, and no Magento-specific attack vector has been found. However, out of caution, we’ve updated the JavaScript libraries in question to the latest versions. Note: this issue does not affect Magento CE version prior to 1.9.0.0 and Magento EE versions prior to 1.14.0.0.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin

16. APPSEC-1622: Incorrect routing of requests

 

Type:Abuse of Functionality
CVSSv3 Severity:0 (None)
Familiar AttacksNone
How does Attack happen?Incorrect request routing can enable the bypassing of web server protections, which in turn provides potentially malicious users access to the server.
Editions Affected:Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Patched In:CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin