Critical Security and Functional Updates Released for Magento 1.x and 2.x

The Magento team have released critical security updates to Magento 1.x and 2.x, affecting both the Community and Enterprise Edition. All store owners are recommended to upgrade their stores immediately to the latest version.

ENTERPRISE EDITION 1.14.3, COMMUNITY EDITION 1.9.3, AND SUPEE-8788

Enterprise Edition 1.14.3 and Community Edition 1.9.3 deliver over 120 quality improvements, as well as support for PHP 5.6. They also resolve critical security issues, including:

  • Remote code execution vulnerabilities with certain payment methods
  • Possibility of SQL injections due to Zend Framework library vulnerabilities
  • Cross-site scripting (XSS) risks with the Enterprise Edition private sale invitation feature
  • Improper session invalidation when an Admin user logs out
  • The ability for unauthorized users to back up Magento files or databases

The SUPEE-8788 patch addresses these security issues in earlier Magento versions. Please note that the SUPEE-8788 patches for Community Edition 1.8 and earlier releases and Enterprise Edition 1.13 and earlier releases fail if a store has previously applied SUPEE-1533 or SUPEE-3941 security patches. The Magento team is working to correct this issue and will provide new patches in the next one to three days. Until then, these versions of the SUPEE-8788 patch are removed from distribution.

Functional update details and installation instructions are available in the Enterprise Edition and Community Edition  release notes; a full list of security updates is published in the Magento Security Center.

ENTERPRISE EDITION AND COMMUNITY EDITION 2.0.10 AND 2.1.2

Updates to Magento 2 software address the same critical security issues described above. Additionally, the releases make several functional improvements and API enhancements. New API methods allow 3rd party solutions, such as shipping or ERP applications, to use APIs to transition anorder state when they create an invoice or shipment. Magento 2.1.2 now also includes PHP 7.0.4 support and Magento 2.0.10 and 2.1.2 are compatible with MySQL 5.7. A summary of improvements is available in the release notes; all security updates are listed in the Security Center.

You are advised to deploy these new releases right away. Updates should be installed and tested in a development environment before being put into production. Always take a full backup before attempting to upgrade your store.

All users are also encouraged to regularly check that their store is in accordance with the Magento Security Best Practices.