Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.2174
APSB20-41 Security update available for Magento
23 June 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Magento
Publisher: Adobe
Operating System: UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-9665 CVE-2020-9664
Original Bulletin:
https://helpx.adobe.com/security/products/magento/apsb20-41.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Updates Available for Magento | APSB20-41
+-------------------------+--------------------------------+------------------+
|Bulletin ID |Date Published |Priority |
+-------------------------+--------------------------------+------------------+
|ASPB20-41 |June 22, 2020 |2 |
+-------------------------+--------------------------------+------------------+
Summary
Magento has released updates for Magento Commerce 1 and Magento Open Source 1.
These updates resolve vulnerabilities rated Important and Critical . Successful
exploitation could lead to arbitrary code execution.
Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June
2020. This will be the final security patches available for these editions.
Note:
Magento Commerce 1 is formerly known as Magento Enterprise Edition, and Magento
Open Source 1 is formerly known as Magento Community Edition.
Affected Versions
+-------------------------+-----------------------------+--------+
| Product | Version |Platform|
+-------------------------+-----------------------------+--------+
|Magento Commerce 1 |1.14.4.5 and earlier versions|All |
+-------------------------+-----------------------------+--------+
|Magento Open Source 1 |1.9.4.5 and earlier versions |All |
+-------------------------+-----------------------------+--------+
Note:
These vulnerabilities do not impact Magento Commerce or Magento Open Source.
Solution
Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version.
+--------+-----------+--------+--------+--------------------------------------+
|Product |Version |Platform|Priority|Availability |
| | | |Rating | |
+--------+-----------+--------+--------+--------------------------------------+
|Magento | | | |My Account > Downloads Tab > Magento |
|Commerce|SUPEE-11346|All |2 |Commerce 1.X > Magento Commerce 1.x > |
|1 | | | |Support and Security Patches > |
| | | | |Security Patches > Security |
+--------+-----------+--------+--------+--------------------------------------+
|Magento | | | |Magento Open Source Download Page > |
|Open |SUPEE-11346|All |2 |Release Archive Tab > Magento Open |
|Source 1| | | |Source Patches - 1.x Section |
+--------+-----------+--------+--------+--------------------------------------+
Vulnerability details
+-----------------+-------------------+---------+-------------------+----------+---------------+-----------------+
| | | | |Admin | | |
|Vulnerability |VulnerabilityImpact|Severity |Pre-authentication|privileges|Magento Bug ID |CVE numbers |
|Category | | | |required | | |
| | | | | | | |
+-----------------+-------------------+---------+-------------------+----------+---------------+-----------------+
|PHP Object |Arbitrary code |Critical |No |Yes |PRODSECBUG-2758|CVE-2020-9664 |
|Injection |execution | | | | | |
+-----------------+-------------------+---------+-------------------+----------+---------------+-----------------+
|Stored cross-site|Sensitive | | | | | |
|scripting |information |Important|No |Yes |PRODSECBUG-2759|CVE-2020-9665 |
| |disclosure | | | | | |
+-----------------+-------------------+---------+-------------------+----------+---------------+-----------------+
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker
with administrative privileges.
Acknowledgments
Adobe would like to thank Luke Rodgers for reporting these issues and for
working with Adobe to help protect our customers.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXvFcwuNLKJtyKPYoAQg4Dw//ftaNUuabawelqpHJvk9PX4oQN5raBbm9
f2wHnjJbR9m2lmJlQhuF+rKdJiAS6vdAhAhdoAU/ejEGZzCpbDwskw4E61kOMQ9/
LgWQan4Tfiyn6Sl21uNAJuY/6TdXYlMZ2Ko1IeZ3gfU9GqZOtUrd8paV+WOm9ATt
MZggbP1v0mKOhovFyvKH8AcyRUVNlpt/+V0o7gop8iGDZVjnlrLw9qOyudLSbtbl
8GZA/ojPOgFFrbGNZ92tAu+JKFNFD2RpHmykInhbeAJ4MHkfvafuvrwGNRf9BoI/
mvmtLpPt38FkBfVAKgIv64iMg4wkX0eUi49TlIJbeBSG2BSCMhFzyDyAnfuLV7og
L2nj+LSACXPapMgaJBarnSwuQRAD35CTZ67IqrbixJE8jEJ+J0XTfbXc41F1g+Ku
z0ps9zWaKlOi7FKwuS0O9d77yTWjLeX/x8OcDlHxITjZoU4EwPm/iafqV2//CBo+
wvXecBa9wkbyoYCx39iW51leZ3bj1czPQCu+jJuFyvHwhEL14aZu+SQDePbT8aMq
G5qk1bCCE55YeNC8E5jpNGVlg/7oaKc0xcp9KV3A5aZChsd4IiN90GI5N2iEEAk0
7Ma6iWZJS8aWnkX0LGfzfl9P3nDUAQGanrcnYzvCK0Tv8M2yrDA5V7Q44Xrv1A+/
UpbIhLpOLEQ=
=HH74
-----END PGP SIGNATURE-----