Magento 2.2.7 Patch Assessment

This post is meant to review all security updates released for all existing versions of Magento 2, including a new minor release with Magento 2.3.0. These updates cover 35 vulnerability enhancements, with the majority of them listed as “Medium” or “High” severity, but there are a couple of “Critical” issues included. The “Critical” severity vulnerabilities describe PHP Object Injection (POI) and Remote Code Execution (RCE) through the Braintree payment configuration, Varnish configuration, and design configuration admin areas.

The bulk of the patch is covered by “High” and “Medium” severity issues. A large portion of these closes the opportunity for RCE through such methods as path traversal, unauthorized file upload while creating downloadable products, upload settings in B2B quote files, API activation, video uploads, and the admin import feature. There are also many instances of Cross-Site Scripting (XSS) vulnerabilities through unsanitized url parameters, the shopping cart fields, customer coupon code fields, newsletter templates, product image/media uploads in the admin panel, admin alert messages in the store configuration settings, widgets, shopping cart settings, and attribute set group names.

The remaining vulnerabilities listed with “Medium” and “High” severity cover a combination of Cross-Site Request Forgery (CSRF) (ex. gift cards, RMA and other admin panels), Privilege Escalation (ex. notification feed, shopping cart price rules) and Information Leakage (ex. user.ini PHP settings, media players), most of which can only be exploited by authorized users but some that can be exploited by unauthorized users.

The 2.x updates also include low-security enhancements, such as older versions of jQuery causing PCI scans to fail, encryptions keys being stored in plain text, and vulnerabilities within AngularJS.

Some of the entries below also apply to Magento 1.x, but we will detail those in a separate document.

 

Severity Assessment

This update requires expedited release. While most of these vulnerabilities require at least limited Admin access, some of the most severe and high risk can be exploited by unauthorized users. Those addressed in the upgrade are present on production websites and the public disclosure of these vulnerabilities presents a risk for outdated websites. Details for each entry are below.

 

 

Vulnerability Code Description CVSSv3 Severity Versions Affected
PRODSECBUG-2123 PHP Object Injection (POI) and Remote Code Execution (RCE) in the Admin 9.1 (Critical) 2.1.x, 2.2.x
PRODSECBUG-2160 Unauthorized File Upload via Customer Attributes 9.0 (Critical) 2.1.x, 2.2.x
PRODSECBUG-2151 Remote Code Execution through Path Traversal 8.8 (High) 2.1.x, 2.2.x
PRODSECBUG-2154 Remote Code Execution through the Admin 8.5 (High) 2.1.x, 2.2.x
PRODSECBUG-2057 Remote Code Execution in Upload of Quote File 8.5 (High) 2.1.x, 2.2.x
PRODSECBUG-2157 Remote Code Execution Vulnerability in Race Condition 8.5 (High) 2.1.x, 2.2.x
PRODSECBUG-2159 API-Based Remote Code Execution Vulnerability 8.5 (High) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2156 Remote Code Execution through Unauthorized File Upload 8.5 (High) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2148 Remote Code Execution and Arbitrary Move File 8.5 (High) 2.1.x, 2.2.x
PRODSECBUG-2153 Unauthorized read permissions through Email Templates 7.7 (High) 2.1.x, 2.2.x
PRODSECBUG-2063 Bypass of Authorization Check by Unauthorized Users 7.2 (High) 2.1.x, 2.2.x
PRODSECBUG-2143 Cross-Site Scripting in the Swagger Generator through Unsanitized URL Parameter 7.1 (High) 2.1.x, 2.2.x
PRODSECBUG-2113 Vulnerability in Customer Shopping Cart 6.5 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2030 Vulnerability in Staging Campaign Name 6.5 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2053 Vulnerability in Newsletter Template 6.5 (Medium) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-1726 Customer Gift Card Vulnerability 6.5 (Medium) 2.1.x, 2.2.x
MAGETWO-91785 Vulnerability within Return Order Requests 6.3 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2146 Remote Code Execution through the Product Media Upload in the Admin 6.0 (Medium) 2.1.x, 2.2.x
MAGETWO-90725 Vulnerability in Admin Alert Message 5.9 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2138 Widget Based XSS Vulnerability 5.8 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2126 Unauthorized Modification of the feed_url Configuration Setting 5.8 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2152 ACL Bypass of Shopping Cart Price Rules 5.4 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2136 Stored Cross-Site Scripting (XSS) in Admin 5.4 (Medium) 2.1.x, 2.2.x
MAGETWO-94370 Customer Bypass of Restrictions 5.4 (Medium) 2.1.x, 2.2.x
PRODSECBUG-1883 Leakage of Custom PHP settings from .user.ini File 5.3 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2131 Bypass of Authorization Possible through Vulnerability in render_handle 5.0 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2071 Vulnerability in Cart 4.8 (Medium) 2.1.x, 2.2.x
PRODSECBUG-1917 Password Protection via External Auth Injection 4.3 (Medium) 2.1.x, 2.2.x
PRODSECBUG-1505 Vulnerability for Authenticated Users 4.3 (Medium) 2.1.x, 2.2.x
MAGETWO-95681 Cross Site Data Leakage 4.3 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2069 Vulnerability in Attribute Group Name 4.2 (Medium) 2.1.x, 2.2.x
PRODSECBUG-2088 CSRF Vulnerability related to Customer Group Deletion 4.2 (Medium) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2108 Outdated jQuery Causes PCI Scanning Failure 0.0 (None) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
MAG-12, MAG-2 Encryption Keys Stored in Plain Text 0.0. (None) 1.9.3.x, 1.14.3.x, 2.1.x, 2.2.x
PRODSECBUG-2074 AngularJS and Setup Application are Vulnerable 0.0 (None) 2.1.x, 2.2.x

 

Affected Versions

All websites running Magento 2.x versions below 2.3.0 including Magento 2.1.x versions below 2.1.16, and Magento 2.2.x versions below 2.2.7 are affected.

 

Known Issues

No known issues have been detailed at this time by the Magento Community for the newest security update. We will continue to monitor the appropriate channels for future issues.

 

Related Links

Release Notes: MOS2.3.0, MC2.3.0, MOS2.2.7, MC2.2.7, MOS2.1.16, MC2.1.16

Security Update: 2.1.16 & 2.2.7 Security Update

Blog Posts: Magento 2.3.0 Announcement