MAGENTO SECURITY PATCH SUPEE-10570 RELEASED
Categorized as : Security Patches
SUPEE-10570, Magento Commerce 1.14.3.8 and Open Source 1.9.3.8 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS, and other issues. These releases also include small functional fixes listed in the release notes.
NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.
Patches and upgrades are available for the following Magento versions:
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10570 patch, please contact our support team.
NOTE: Magento was recently informed about an issue with both patch SUPEE-10570 and Magento versions 1.9.3.8/1.14.3.8 that could result in the inability of customers to complete checkout when trying to register during checkout. Magento is now providing an updated patch (SUPEE-10570v2) that no longer causes this issue.
Patches and upgrades are available for the following Magento versions:
- Magento Commerce 1.9.0.0-1.14.3.7: SUPEE-10570 or upgrade to Magento Commerce 1.14.3.8
- Magento Open Source 1.5.0.0-1.9.3.7: SUPEE-10570 or upgrade to Magento Open Source 1.9.3.8
There were several CVSSv3 Severity issues found which affected the Magento products. Below are the few bugs:
Issue Type: Remote Code Execution (RCE)
CVSSv3 Severity | Security Bug | Description |
9.8 (High) | Remote Code Execution Using XML Injection | An administrator with limited privileges can insert injectable XML into the layout table, which can create an opportunity for remote code execution. |
9.8 (Critical) | Remote Code Execution - additional fix not included in SUPEE-9652 | A user can insert information in a return path, thereby storing information on the file system that could lead to Remote Code Execution (RCE). |
8.9 (High) | Remote Code Execution by (semi-)arbitrary file deletion for admin users with access to Import. | An administrator with Import permissions can import an XML file that could potentially provide an opportunity for Remote Code Execution (RCE). |
7.2 (High) | Remote Code Execution in Staging Environment | An administrator with limited privileges can inject a malformed configuration bypass, which could potentially lead to a file redirection that could be leveraged for arbitrary remote code execution. |
Issue Type: Cross-Site Request Forgery (CSRF)
6.4 (Medium) | Cross-Site Request Forgery in Store Backups | An administrator can be tricked into performing a system backup by an attacker who has crafted a targeted Cross-Site Request forgery (CSRF) attack. |
Issue Type: Cross-site Scripting (XSS) - stored
5.0(Medium) | Cross-site Scripting in CMS hierarchy | An administrator with limited privileges can insert script into the CMS hierarchy, which could potentially result in a stored cross-site scripting that affects other administrators. |
5.0(Medium) | Cross-site Scripting in Custom Variables | An administrator with limited privileges can insert script in the custom variables name field, which could potentially result in stored cross-site scripting that affects other administrators. |
Source: Magento
It is highly recommended by Magento to deploy these new releases right away, to ensure optimal security and performance. Remember to implement and test the patch in a development environment first to confirm that it works as expected or consult a professional.
What else can be done to protect a Magento site?
Apart from installing the security patches, you can always ask Magento certified professionals to conduct a security audit every quarter to ensure that your store is secured especially if you have installed new extensions and made some changes to the site.
&nbps;
Consult our certified Magento developers, if you want to implement this security patch or have any questions regarding the Magento security SUPEE-10570 patch, please contact our support team.