Adobe / Magento Commerce Security Patch Releases: 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10

wccsieucfoid
10 Min Read
Adobe Commerce security patch release notes with key highlights and updates for versions 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10.

In the dynamic landscape of e-commerce, security remains a top priority. Adobe Commerce, a leading platform for online businesses, consistently updates its system with security patches to address vulnerabilities and enhance overall protection. The latest releases—2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10—focus on critical security improvements and bug fixes to safeguard your e-commerce platform.

This detailed guide will walk you through the key updates, security highlights, and hotfixes included in these Adobe Commerce releases. Understanding these updates is crucial for maintaining the security and reliability of your platform.

Adobe Commerce 2.4.7-p2: Addressing Critical Security Vulnerabilities

Security Bug Fixes

Adobe Commerce 2.4.7-p2 focuses on resolving vulnerabilities identified in earlier versions of the 2.4.7 series. These bug fixes are essential to prevent potential exploits that could compromise the integrity of your e-commerce platform.

Key Security Fixes:

  • Prototype.js Vulnerability (CVE-2020-27511): This fix addresses a security flaw in Prototype.js, a JavaScript framework previously used within Adobe Commerce. The vulnerability could have allowed cross-site scripting (XSS) attacks, where malicious scripts are executed within a user’s browser. The update effectively patches this issue, bolstering your platform’s defenses against XSS attacks.
  • Remote Code Execution (RCE) Vulnerability (CVE-2024-39397): This critical fix resolves a vulnerability that allowed remote code execution (RCE), specifically affecting merchants using Apache web servers in on-premises or self-hosted deployments. RCE vulnerabilities are particularly severe as they can allow attackers to execute arbitrary code on the server, potentially leading to full system compromise. The 2.4.7-p2 release includes a patch that neutralizes this threat, ensuring your platform remains secure.

For more detailed information on these security fixes, refer to the Adobe Security Bulletin APSB24-61.

Security Enhancements in 2.4.7-p2:

  • Rate Limiting for One-Time Passwords (2FA Enhancements): Adobe Commerce 2.4.7-p2 introduces new system configuration options to enable rate limiting on one-time password (OTP) validation for two-factor authentication (2FA). This feature is crucial in defending against brute-force attacks, where repeated attempts are made to guess OTPs.
    • Retry Attempt Limit: This setting allows administrators to limit the number of OTP validation attempts, thereby reducing the risk of unauthorized access.
    • 2FA Lockout Time: This option specifies the duration of a lockout period after the maximum number of OTP retry attempts is reached, further enhancing account security.
  • Encryption Key Rotation: A new command-line interface (CLI) command for rotating encryption keys has been introduced. Regular key rotation is a best practice for ensuring data security, as it mitigates the risk of compromised keys leading to unauthorized data access.

For guidance on configuring these new security features, see the Security > 2FA section in the Configuration Reference Guide.

Hotfixes Included in 2.4.7-p2:

  • Google Maps JavaScript Error: A hotfix addresses a JavaScript error that previously prevented Google Maps from rendering properly within the PageBuilder editor. This issue impacted users who integrated Google Maps into their websites, affecting site functionality.
  • JWT Validation Issue: This hotfix resolves a JSON Web Token (JWT) validation issue linked to CVE-2024-34102. Proper JWT validation is critical for maintaining secure authentication processes and preventing unauthorized access.

Adobe Commerce 2.4.6-p7: Continued Security Enhancements

Security Bug Fixes

Adobe Commerce 2.4.6-p7 is dedicated to addressing security vulnerabilities identified in previous 2.4.6 releases. These fixes are essential for maintaining a secure and stable platform.

Key Security Fixes:

  • Prototype.js Vulnerability (CVE-2020-27511): This update addresses the same XSS vulnerability found in Prototype.js, ensuring that all Adobe Commerce deployments are protected from this potential threat.
  • Remote Code Execution (RCE) Vulnerability (CVE-2024-39397): The RCE vulnerability affecting Apache web server users has also been resolved in this release, ensuring your platform is secure from remote exploits.

Security Highlights in 2.4.6-p7:

  • Rate Limiting for One-Time Passwords (2FA Enhancements): The 2.4.6-p7 release introduces the same rate-limiting features for OTP validation as in 2.4.7-p2. These features are crucial for preventing brute-force attacks on user accounts.
  • Encryption Key Rotation: The introduction of the new CLI command for encryption key rotation in 2.4.6-p7 helps maintain the security of your encrypted data by making key rotation more manageable and less prone to errors.

Hotfixes Included in 2.4.6-p7:

  • Google Maps JavaScript Error: This hotfix resolves the Google Maps rendering issue in PageBuilder, ensuring that this essential feature functions correctly across all sites.
  • JWT Validation Issue: A hotfix addresses the JWT validation issue related to CVE-2024-34102, ensuring that authentication processes remain secure and trustworthy.

Adobe Commerce 2.4.5-p9: Addressing Core Security Needs

Security Bug Fixes

Adobe Commerce 2.4.5-p9 continues the trend of addressing vulnerabilities from previous releases in the 2.4.5 series. These bug fixes are crucial for preventing potential security breaches.

Key Security Fixes:

  • Prototype.js Vulnerability (CVE-2020-27511): The 2.4.5-p9 release includes a fix for the Prototype.js XSS vulnerability, protecting your platform from potential cross-site scripting attacks.
  • Remote Code Execution (RCE) Vulnerability (CVE-2024-39397): This release also addresses the RCE vulnerability affecting Apache web server deployments, ensuring your platform is safeguarded against remote attacks.

Security Highlights in 2.4.5-p9:

  • Rate Limiting for One-Time Passwords (2FA Enhancements): Rate limiting for OTP validation is now available in the 2.4.5-p9 release, providing additional protection against brute-force attempts on user accounts.
  • Encryption Key Rotation: A CLI command for encryption key rotation has been introduced, making it easier to rotate encryption keys and maintain secure data practices.

Hotfixes Included in 2.4.5-p9:

  • Google Maps JavaScript Error: The hotfix resolves the Google Maps rendering issue within the PageBuilder editor, ensuring that map functionalities are restored and operate as expected.
  • JWT Validation Issue: A hotfix addresses the JWT validation issue related to CVE-2024-34102, reinforcing the security of authentication processes.

Adobe Commerce 2.4.4-p10: Finalizing Security Measures

Security Bug Fixes

The Adobe Commerce 2.4.4-p10 release focuses on finalizing security measures and addressing vulnerabilities from previous 2.4.4 releases.

Key Security Fixes:

  • Prototype.js Vulnerability (CVE-2020-27511): This update patches the XSS vulnerability in Prototype.js, ensuring that Adobe Commerce deployments remain secure against this type of attack.
  • Remote Code Execution (RCE) Vulnerability (CVE-2024-39397): The RCE vulnerability in Apache web servers has been resolved in this release, providing essential protection against remote exploits.

Security Highlights in 2.4.4-p10:

  • Rate Limiting for One-Time Passwords (2FA Enhancements): Rate limiting for OTP validation has been introduced, protecting user accounts from brute-force attempts.
  • Encryption Key Rotation: The CLI command for encryption key rotation is now available, allowing administrators to maintain secure encryption practices easily.

Hotfixes Included in 2.4.4-p10:

  • Google Maps JavaScript Error: The hotfix resolves the Google Maps rendering issue, restoring full functionality within the PageBuilder editor.
  • JWT Validation Issue: A hotfix addresses the JWT validation issue related to CVE-2024-34102, ensuring secure authentication processes.

Applying Adobe Commerce Security Patches: Best Practices

To ensure a smooth and secure update process, follow these best practices when applying Adobe Commerce security patches:

  1. Backup Your System: Always create a full backup of your platform, including the database and file system, before applying any patches. This precaution ensures that you can restore your system if issues arise during the update process.
  2. Test in a Staging Environment: Apply the patches in a staging environment first to identify and resolve any potential compatibility or functionality issues before deploying them to your live site.
  3. Review the Release Notes: Thoroughly review the release notes for each patch to understand the specific changes and prepare for any potential impacts on your platform.
  4. Apply the Patch: Once testing is complete, apply the patches to your live site according to the instructions provided in the Adobe Commerce Upgrade Guide.
  5. Monitor Your Platform: After applying the patches, monitor your platform closely for any unusual behavior or performance issues. Address any issues promptly to ensure continued security and stability.

Summary: Secure Your Adobe Commerce Platform

The Adobe Commerce 2.4.7-p2, 2.4.6-p7, 2.4.5-p9, and 2.4.4-p10 security patch releases are critical updates that address significant vulnerabilities and introduce important security enhancements. By applying these patches, you can protect your platform from potential exploits, enhance the security of user accounts, and ensure that your e-commerce operations run smoothly and securely.

Regular updates are essential for maintaining the integrity and security of your Adobe Commerce platform. Stay informed about the latest security patches and follow best practices for their application to ensure your business remains protected against evolving cyber threats.

Share This Article
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *