Magento Security Patches 2024 — Release Highlights & Key Fixes

Hello. Here’s some news! 📢

“On August 13, Magento released security patches for all of the latest versions of Magento Open Source and Adobe Commerce.”

These security patches have brought greater upgrades that safeguard your store against cyber attacks.

And of course, you need all the necessary information about these patches. Right?

Well, this article is just for that. In this article, we’ll understand key highlights and key fixes introduced with these security patches, and why you must upgrade for it.

Moreover, we’ll also shed some light on how you install these patches in your Magento website & some pre-installation steps that help avoid any negative consequences during/after installation.

Let’s start with the basics.

What is a Magento Security Patch?

A Magento patch version is a software update that addresses issues or vulnerabilities that may arise after a specific Magento version release. When a new version of Magento is launched, it’s developed based on the best methodologies and testing at that time.

However, over time, as more developers use the new version, they might discover unexpected problems or security weaknesses that weren’t apparent during the initial testing. To address these issues, Magento releases security patches. These patches are smaller updates that fix the identified problems without requiring a complete reinstall of the Magento version.

Why Security Patches Are Necessary For Magento Websites?

Earlier, we saw that security patches address known vulnerabilities that can be subject to malicious attacks. These vulnerabilities could lead to data breaches, unauthorized access, and other serious consequences. Regular security patch installation ensures the magento store runs on the latest version, including performance improvements and feature enhancements.

In short, security patches help maintain the security, integrity, and compliance of Magento store while protecting the business, its customers, and its reputation.

;

That was a basic understanding of what security patches are in Magento and why they are necessary. Now, let’s move further into understanding the recent patch releases.

Magento Patch Releases for 2024 — Understanding Highlights & Fixes

First of all, here’s a list of security patches that Magento launched on 13th August, 2024 with link to its release notes.

• Magento 2.4.7-p2
• Magento 2.4.6-p7
• Magento 2.4.5-p9
• Magento 2.4.4-p10

All of these latest security patches address critical vulnerabilities and ensure the ongoing security of your online store. This patch is essential for protecting your business from potential attacks and safeguarding your store data.

Let’s move forward and understand issues with previous Magento versions.

Understanding the Problem with Previous Magento Versions

Older versions of Magento had security vulnerabilities that could be exploited by hackers. These vulnerabilities could allow hackers to gain unauthorized access to your store, steal customer data, or even take control of your entire system.

These vulnerabilities included:

• Encryption weaknesses — Older encryption methods may have been less secure than modern standards.
• Input validation issues — Improper validation of user input could have allowed malicious code to be injected into the system.
• Session management vulnerabilities — Vulnerabilities in session management could have enabled attackers to hijack user sessions and gain unauthorized access to their accounts.
• Cross-site scripting (XSS) — XSS attacks could have allowed attackers to inject malicious code into your website, potentially stealing customer data or compromising their devices.

The latest security patches (2.4.7-p2, 2.4.6-p7, 2.4.5-p9, 2.4.4-p10) address these issues and many other vulnerabilities, providing a more secure environment for your Magento store.

Let’s explore the solution provided by these security patches.

Highlights & Key Fixes Offered In Magento Security Patches

Below I’ve listed key highlights and fixed them with a detailed description that helps you understand what’s improved with these security patches.

#1 — 2FA With OTP Rate Limiting

One of the key highlights of these security patches is the introduction of rate limiting for two-factor authentication (2FA) with one-time password (OTP) validation.

This feature helps prevent repeated attempts to enter different OTP codes and crash into your website.

Here’s how it works:

1. Retry attempt limit — This setting allows store owners to specify the maximum number of times a user can enter an incorrect OTP code before their account is locked out.
2. Lockout time — If a user exceeds the retry attempt limit, their account will be locked out for a specified period of time. This prevents attackers from continuously attempting to guess the correct OTP code.

These options can be found in the Security > 2FA section of your Magento admin panel after you install the latest security patches for your specific Magento versions.

When you enable rate-limiting for OTP, you can significantly reduce the risk of unauthorized access to your Magento store.

#2 — Encryption Key Rotation

Encryption key rotation is a security practice that involves regularly changing the security passwords and codes to protect sensitive store data, such as customer information and financial data.

Regularly rotating encryption key helps reduce the risk of unauthorized access to your data.

Here’s how it works:

The latest Magento security patches have introduced a new CLI command that makes it easier to rotate your encryption keys. This is a significant improvement over previous versions of Magento, which required manual steps and potential risks associated with manual key management.

#3 — Fixing the CVE-2020-27511 Vulnerability

CVE-2020-27511 was a security vulnerability that affected older versions of Prototype.js, a popular JS library used in multiple web applications. This vulnerability had higher chances of causing a ReDOS attack, a type of denial-of-service (DoS) attack that tricks a website into using too much computing power to process a specially crafted input, making it unresponsive.

“Recently, there was an issue discovered in the stripTags and unescapeHTML components in Prototype 1.7.3 where an attacker can cause a Regular Expression Denial of Service (ReDOS) through stripping HTML tags.”

If a Magento store is using an outdated or vulnerable version of Prototype.js, it may have been susceptible to a ReDoS attack. An attacker could exploit this vulnerability to potentially cause the website to become unavailable or disrupt its normal operations.

The latest Magento security patches include a fix for this vulnerability. So, when you install the latest security patch, you can ensure that your Magento store is no longer vulnerable to the CVE-2020-27511 exploit.

#4 — Fixing CVE-2024-39397: A Remote Code Execution Vulnerability

CVE-2024-39397 is a critical security vulnerability that could have allowed attackers to execute malicious code on your Magento store. Normally, this vulnerability is a problem for merchants that use Apache web servers for on-premises or self-hosted deployments.

Adobe Commerce versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, 2.4.4-p9, and earlier are affected by an Unrestricted Upload of File with Dangerous Type vulnerability that could result in arbitrary code execution by an attacker. An attacker could exploit this vulnerability by uploading a malicious file which can then be executed on the server. The exploitation of this issue does not require user interaction, but attack complexity is high and the scope is changed.

The latest Magento security patches address this vulnerability by implementing a fix that prevents attackers from exploiting this weakness. Also, if you’re a merchant using Apache web servers, these security patches are highly necessary to secure your online store.

Moreover, Magento has also released this patch as an isolated patch. This means you can apply this patch to any Magento version you’re currently using, without the need to upgrade to the latest version.

#5 — Additional Fixes

Beyond addressing core security issues, the latest Magento security patches also include several hotfixes for two specific concerns. Let’s discuss them.

1. Google Maps Rendering Issue — This hotfix resolves a JS error that is used to prevent Google Maps from rendering within the PageBuilder editor.
2. JSON Web Token (JWT) Validation — This hotfix addresses JWT validation issues related to CVE-2024-34102. This weakness could’ve potentially compromised the security of the store’s API access.

That’s all about the security patches introduced by Magento in August 2024.

When you choose to work along with these security patches, you can ensure that your Magento store is running smoothly and is protected from these specific issues. Also, these fixes show Magento’s dedication and commitment to providing ongoing support and improving as a platform.

Now, you might be questioning how to install these. So, let’s learn the process of installation.

How Do I Install Magento Security Patch On My Website?

There is no universal method that you can use to install these security patches.

However, there are 3 ways you can install it. And we are discussing them right below; choose the one that you find convenient. Let’s start.

Method #1 — Installing Magento Security Patches Via Composer

• Step 1: Open your command line application and navigate to access your Project Directory.
• Step 2: Install the cweagans/composer-patches plugin into composer.json file.
• Step 3: It’s time you add patch details. So next, you need to modify the composer.json file with your specific patch information. For example:

 "extra": {
      "composer-exit-on-patch-failure": true,
      "patches": {
          "magento/module-payment": {
              "MAGETWO-56934: Checkout page freezes when ordering with Authorize.net with invalid credit card": "patches/composer/github-issue-6474.diff"
          }
      }
  }

• Step 4: If the patch affects multiple modules, you may need to create individual patch files for each module.
• Step 5: Once you do that, it’s time to apply the patch. So, run this command in your terminal: composer install
• Step 6: Finally, you can update the composer.lock file. The lock file will make sure that patches have been applied to each composer package. Here’s the command: composer update — lock

Method #2 — Installing Magento Security Patches Using The Command Line

• Step 1: Start with installing security patch files to your Magento server using SSH, SFTP, or FTP. This is usually uploaded to Magento’s root directory.
• Step 2: Next, login into your server as a Magento admin user and confirm if the patch file is uploaded to the right directory.
• Step 3: In the command-line interface, run this command: patch < patch_file_name.patch
  This command assumes that the patched file is located within the patch file. If you see the message “File to patch”, it means the command isn’t located in the intended directory. So, this is where you provide a path to it by copying and pasting the full path to the patch file. Once you’ve provided the correct path, the patch command will proceed to apply the changes.
• Step 4: After applying the patch, navigate to System > Tools > Cache Management in your Magento admin panel and flush the cache. This ensures that the changes are made.

Method #3 — Installing Magento Security Patches Using Github

• Step 1: In your Magento project directory, create a new folder named “patches”.
• Step 2: Next, you can download the patch file and place it in the “patches” directory. You can use SSH, FTP-client, and other tools that you find suitable for this step.
• Step 3: Finally, you can create a patch file by running the following command: git diff > ./patches/patchForModule.patch

This will create a patch file in the “patches” directory. Later, you can use Composer or other methods to install a patch in your Magento system. 

And that was it about installation methods.

Now, let me tell you that installation isn’t as easy as it seems. The process may involve risks, so in the next section, we’ll be discussing potential steps you can take before you start with installation.

Pre-Installation Steps for Magento 2 Security Patches

Below, I’ve listed some precautionary steps you can take to ensure a smooth and successful installation of Magento security patches. Let’s get into it.

1. Back up Your Magento Store

Create a complete backup of your Magento store, including database, files, and configuration.

This is suggested as it works as a safety net in case you face any issue during the patch installation process or if the patch installation causes your store to malfunction.

2. Check Version Compatibility

Carefully read the release notes and figure out if the security patches are available for your current Magento version. Also, pay attention to any compatibility requirements mentioned in release notes that might affect during or after patch installation.

3. Enable Maintenance Mode

It is suggested to enable maintenance mode as it creates a controlled environment where you can test and troubleshoot the patch without affecting your live store. Also, it helps make your store temporarily inaccessible to your customers, so, they won’t face any potential errors when you install patches into the system.

4. Test the Patches on Staging

If possible, test the patch in a staging or development mode before you make it live to users. This helps identify and address potential problems.

5. Disable Caching For a While

It is suggested to disable caching when you’re installing the patches to your Magento store as it ensures that the patch is applied correctly and will changes are reflected immediately.

6. Update Dependencies

Another thing, make sure that all the Magento extensions, or themes, and other dependencies are updated well to meet the standards followed by the security patch. If there are any outdated components left, there are chances for conflicts and vulnerabilities to arise.

And that’s all you need to do for safe installation.

Moreover, you can always count on our experienced Magento developers who can help you install security patches perfectly and effortlessly while avoiding all the potential pitfalls.

FAQs – Magento Security Patches Release

Here I’ve cleared some additional doubts you may have about Magento security patches.

1. What is the purpose of a security patch?

The purpose of Magento security patches is to address vulnerabilities or security loopholes that may have existed in previous versions of the software.

2. How do you enable/disable maintenance mode in Magento?

Here, I’ve outlined steps you can follow to Enable and Disable the maintenance mode after installing the patch from the admin panel.

Enable Maintenance Mode:

• Step 1: Open Command Line.
• Step 2: Add Command bin/magento maintenance:enable

Disable Maintenance Mode:

• Step 1: Open Command Line.
• Step 2: Add Command bin/magento maintenance:disable

3. Is Adobe Commerce the only platform that requires security patches?

No, Adobe Commerce (or Magento) is not the only platform that requires security patches. All eCommerce platforms or software applications (including popular platforms like WordPress, Drupal, Joomla, and Shopify) require regular security updates to address vulnerabilities and protect against threats.

Conclusion

In the end, I’d recommend being consistent with security patch installation and overall maintenance of your website to safeguard it against emerging threats.

Moreover, you may tackle some issues with installation or after installation (such as extension or theme incompatibility). If you’re concerned about these, you can opt for our comprehensive maintenance package or hire a Magento expert from our team. 

Working without Magento experts will ensure a secure application of these patches without disrupting your website operations.

And that’s all folks. Thank you.