The latest Magento Patch, SUPEE-9767, Community Edition 1.9.3.3, and Enterprise Edition 1.14.3.3 address to eliminate security vulnerabilities.

Important Note

Implement and test the patch to confirm it works according to the expectations before deploying it to a live site. This security and human error can cause massive loss. You can get further assistance on Magento Security here.

Before Installing Patch Or Update the Version

Disable Symlinks setting by navigating to:

• Systems > Configuration > Advanced > Developer > Enable Symlinks

Why disable Symlinks?

If these settings will be enabled, it will override configuration file settings and if we change, it would require direct database modification.

You can download the patches/updates if you have:

• Enterprise Edition 1.9.0.0-1.14.3.2: SUPEE-9767 or upgrade to Enterprise Edition 1.14.3.3
• Community Edition 1.5.0.1-1.9.3.2: SUPEE-9767 or upgrade to Community Edition 1.9.3.3

Options Available For Downloading Patch/Update

 

Partners:

Enterprise Edition 1.14.3.3	Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version 1.x Releases > Version 1.14.3.3
SUPEE-9767	Partner Portal > Magento Enterprise Edition > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – May 2017

 

Enterprise Edition Merchants:

Enterprise Edition 1.14.3.3	My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Version   1.x Releases > Version 1.14.3.3
SUPEE-9767	My Account > Downloads Tab > Magento Enterprise Edition 1.X > Magento Enterprise Edition 1.x > Support and Security Patches > Security Patches > Security Patches – May 2017

Community Edition Merchants:

Community Edition 1.9.3.3	Community Edition Community Edition Download Page > Release Archive Tab
SUPEE-9767	Community Edition Download Page > Release Archive Tab > Magento Community Edition Patches – 1.x Section

 

1) APPSEC-1281: Remote code execution through symlinks

Type:	Remote Code Execution (RCE)
CVSSv3 Severity:	8.8 (High)
Familiar Attacks	Attackers can disable a configuration protection after gaining admin access and upload malicious code.
How does attack happen?	Using AllowSymlinks option in configuration settings can enable the upload of an image containing malicious code.   Even though this option is disabled by default, an attacker with access to store configuration settings can enable and execute code.
Editions Affected	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

2) APPSEC-1777: Remote Code Execution in DataFlow

Type:	Remote Code Execution (RCE)
CVSSv3 Severity:	8.8 (High)
Familiar Attacks	–
How does attack happen?	Magento administrators having access to DataFlow functionality can use it to upload and execute arbitrary code.
Editions Affected	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

3) APPSEC-1686: Remote Code Execution in the Admin panel

Type:	Remote Code Execution (RCE)
CVSSv3 Severity:	8.8 (High)
Familiar Attacks	None
How does attack happen?	Store administrators with access to CMS functionality can remotely execute code.
Editions Affected	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Patched In	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7

4. APPSEC-1320: SQL injection in Visual Merchandiser (Enterprise Edition)

Type:	SQL Injection
CVSSv3 Severity:	8.8 (High)
Familiar Attacks	None
How does attack happen?	The Visual Merchandiser contains an SQL injection vulnerability that can potentially allow a user with Admin privileges to directly edit the database.
Editions Affected	Magento EE prior to 1.14.3.3
Patched In	EE 1.14.3.3, SUPEE-9767

5. APPSEC-1634: XSS in data fields

Type:	Cross-Site Scripting (XSS, Reflected)
CVSSv3 Severity:	8.7 (High)
Familiar Attacks	None
How does attack happen?	Some Admin tables do not filter data, which provides an inadvertent opening for reflected cross-site scripting attacks.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

 

6. APPSEC-1759: XSS in Admin panel configuration

Type:	Cross-Site Scripting (XSS, stored)
CVSSv3 Severity:	8.1 (High)
Familiar Attacks	None
How does Attack happen?	A Magento administrator with access to configuration settings can enter a malicious code that can be executed on other Admin panel pages.
Editions Affected	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

7. APPSEC-1549: CSRF after logout – form key not invalidated

Type:	Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:	8.0 (High)
Familiar Attacks	None
How does Attack happen?	Magento does not invalidate form keys on logout, which potentially allows an attacker to execute commands as administrator after the admin logs out.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

8. APPSEC-1693: Bypassing ACLs in store configuration permissions

Type:	Privilege Escalation
CVSSv3 Severity:	6.5 (Medium)
Familiar Attacks	None
How does Attack happen?	Administrators with limited permission to modify configuration settings can also edit PayPal or payment configuration settings despite the lack of explicit permissions.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

9. APPSEC-1677: Local File Disclosure for admin users with access to data flow

Type:	Information Leak (system)
CVSSv3 Severity:	6.5 (Medium)
Familiar Attacks	None
How does Attack happen?	An authenticated administrator can use DataFlow to exfiltrate system files.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

10. APPSEC-1546: CSRF Vulnerability in Checkout feature

Type:	Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:	6.1 (Medium)
Familiar Attacks	None
How does Attack happen?	Checkout functionality is vulnerable to cross-site request forgery attacks. These types of attacks are typically executed by phishing emails or pages that allow attackers to modify or harvest payment details.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

11. APPSEC-1597: Potential for username enumeration

Type:	Insufficient Data Protection
CVSSv3 Severity:	5.3 (Medium)
Familiar Attacks	None
How does Attack happen?	When a user tries to log in using an invalid username or password, the Magento authentication mechanism responds with a message that indicates whether the username is valid. A malicious user can use this information to build a list of registered users.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

12. APPSEC-1695: CSRF cache management

Type:	Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:	4.7 (Medium)
Familiar Attacks	None
How does Attack happen?	Vulnerabilities in session cache management may provide an opening for a cross-site request forgery attack. These types of attacks can include malicious clearing of session data.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

13. APPSEC-1324: Customer passwords exposed in logs

Type:	Information Disclosure / Leakage (Confidential or Restricted)
CVSSv3 Severity:	4.4 (Medium)
Familiar Attacks	None
How does Attack happen?	In certain configurations, and depending on previous customer actions, a log-in action can generate an exception. Magento logs this exception, which may contain customer passwords, on the server.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767

14. APPSEC-1675: Cross-site Request Forgery Vulnerability in Enterprise Edition (EE) Invites

Type:	Cross-Site Request Forgery (CSRF)
CVSSv3 Severity:	3.4 (Low)
Familiar Attacks	None
How does Attack happen?	The Magento EE private sale invites feature is not protected against cross-site request forgery attacks. This vulnerability potentially allows an attacker to invite himself to/register on a restricted access site.
Editions Affected:	Magento EE prior to 1.14.3.3
Patched In:	EE 1.14.3.3, SUPEE-9767

 

15. APPSEC-1659: Vulnerabilities in JavaScript libraries

Type:	Misc Vulnerabilities
CVSSv3 Severity:	0 (Low)
Familiar Attacks	None
How does Attack happen?	Magento uses versions of JavaScript libraries with known security vulnerabilities. Magento does not use the vulnerable functionality, and no Magento-specific attack vector has been found. However, out of caution, we’ve updated the JavaScript libraries in question to the latest versions. Note: this issue does not affect Magento CE version prior to 1.9.0.0 and Magento EE versions prior to 1.14.0.0.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin

 

16. APPSEC-1622: Incorrect routing of requests

Type:	Abuse of Functionality
CVSSv3 Severity:	0 (None)
Familiar Attacks	None
How does Attack happen?	Incorrect request routing can enable the bypassing of web server protections, which in turn provides potentially malicious users access to the server.
Editions Affected:	Magento CE prior to 1.9.3.3, and Magento EE prior to 1.14.3.3, Magento 2.0 prior to 2.0.14, Magento 2.1 prior to 2.1.7
Patched In:	CE 1.9.3.3, EE 1.14.3.3, SUPEE-9767, Magento 2.0.14 and Magento 2.1.7 allin