Magento 2.0.14 and 2.1.7 Security Update

Released by Magento on May 31, 2017, Magento 2.0.14 and 2.1.7 Security Update is the latest upgrade for the Enterprise Community Platform. This upgrade has more than 15 security improvements to reduce the hazards associated with the following issues:

  • Remote Code Execution (RCE). With a severity rating of 8.8, instances of remote code execution have the capacity to cause major damage to your Magento platform. Problems identified in previous Magento versions can allow a hacker to use the video upload function located on the admin board to scan the interior network. As a result, a hacker can search for open ports and/or servers, enabling them to upload questionable and potentially malicious files. Another issue associated with RCE discovered in previous Magento versions is the ability for store admins to operate CMS functionality and to administer code from any location.
  • Cross-Site Scripting (XSS): Instances of XSS can increase the chances of an attacker inserting portions of malicious codes to target all of a Magento platform’s users. XSS carries a rating of 8.0 on the severity scale, and issues seen in previous Magento editions can result in the improper input of customer data, which can cause a lower-level admins to combat other types of system admins.
  • Cross Site Request Forgery (CSRF): With a severity rating of 6.1, instances of cross site request forgeries pose a medium risk to your Magento platform. A problem correlated with CSRF circumstances found in older Magento versions was increased vulnerability of customer APIS, which can easily allow for the infiltration of hackers.
  • Access Control: Bearing a severity rating of 6.8, instances of a breach of access control can severely disrupt the functioning of your Magento platform. A major problem related to access control noted in previous Magento versions can result in an admin user becoming disabled due to the invalidation of API tokens. This has the potential to cause consistent assaults on a system and may permit unapproved operations or communications to occur on a Magento platform. Another problem seen in older Magento versions that is associated with Access Control disables mass actions from reviewing permissions, which allows lower admins to administer unapproved and potentially dangerous actions.

Along with the security enhancements, Magento 2.0.14 and 2.1.7 Security Update includes one instrumental change as well.

  • The newest update includes the complete revision of the image-resizing alternations made in 2.1.6, which caused unprecedented issues to arise. The Magento 2.0.14 and 2.1.7 security update has reverted these alternations and will incorporate image-reconfiguration enhancements in later upgrades.

Even though there were no verified attacks correlated with the vulnerabilities associated with these fixes at this point, the presence of certain exposures not repaired in previous Magento versions can increase the likelihood of your system being jeopardized. With this in mind, Forix suggests that all Magento users install the latest patches in order to ensure the safety and security of their platforms and businesses.

Get Magento 2.0.14 and 2.1.7 Security Update Installed Today

Forix has extensive experience dealing with Magento security patches similar to Magento 2.0.14 and 2.1.7 and can assist you with your installation process.