Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.2174 APSB20-41 Security update available for Magento 23 June 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Magento Publisher: Adobe Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-9665 CVE-2020-9664 Original Bulletin: https://helpx.adobe.com/security/products/magento/apsb20-41.html - --------------------------BEGIN INCLUDED TEXT-------------------- Security Updates Available for Magento | APSB20-41 +-------------------------+--------------------------------+------------------+ |Bulletin ID |Date Published |Priority | +-------------------------+--------------------------------+------------------+ |ASPB20-41 |June 22, 2020 |2 | +-------------------------+--------------------------------+------------------+ Summary Magento has released updates for Magento Commerce 1 and Magento Open Source 1. These updates resolve vulnerabilities rated Important and Critical . Successful exploitation could lead to arbitrary code execution. Support for Magento Commerce 1.14 and Magento Open Source 1 is ending in June 2020. This will be the final security patches available for these editions. Note: Magento Commerce 1 is formerly known as Magento Enterprise Edition, and Magento Open Source 1 is formerly known as Magento Community Edition. Affected Versions +-------------------------+-----------------------------+--------+ | Product | Version |Platform| +-------------------------+-----------------------------+--------+ |Magento Commerce 1 |1.14.4.5 and earlier versions|All | +-------------------------+-----------------------------+--------+ |Magento Open Source 1 |1.9.4.5 and earlier versions |All | +-------------------------+-----------------------------+--------+ Note: These vulnerabilities do not impact Magento Commerce or Magento Open Source. Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version. +--------+-----------+--------+--------+--------------------------------------+ |Product |Version |Platform|Priority|Availability | | | | |Rating | | +--------+-----------+--------+--------+--------------------------------------+ |Magento | | | |My Account > Downloads Tab > Magento | |Commerce|SUPEE-11346|All |2 |Commerce 1.X > Magento Commerce 1.x > | |1 | | | |Support and Security Patches > | | | | | |Security Patches > Security | +--------+-----------+--------+--------+--------------------------------------+ |Magento | | | |Magento Open Source Download Page > | |Open |SUPEE-11346|All |2 |Release Archive Tab > Magento Open | |Source 1| | | |Source Patches - 1.x Section | +--------+-----------+--------+--------+--------------------------------------+ Vulnerability details +-----------------+-------------------+---------+-------------------+----------+---------------+-----------------+ | | | | |Admin | | | |Vulnerability |VulnerabilityImpact|Severity |Pre-authentication|privileges|Magento Bug ID |CVE numbers | |Category | | | |required | | | | | | | | | | | +-----------------+-------------------+---------+-------------------+----------+---------------+-----------------+ |PHP Object |Arbitrary code |Critical |No |Yes |PRODSECBUG-2758|CVE-2020-9664 | |Injection |execution | | | | | | +-----------------+-------------------+---------+-------------------+----------+---------------+-----------------+ |Stored cross-site|Sensitive | | | | | | |scripting |information |Important|No |Yes |PRODSECBUG-2759|CVE-2020-9665 | | |disclosure | | | | | | +-----------------+-------------------+---------+-------------------+----------+---------------+-----------------+ Note: Pre-authentication: The vulnerability is exploitable without credentials. Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges. Acknowledgments Adobe would like to thank Luke Rodgers for reporting these issues and for working with Adobe to help protect our customers. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXvFcwuNLKJtyKPYoAQg4Dw//ftaNUuabawelqpHJvk9PX4oQN5raBbm9 f2wHnjJbR9m2lmJlQhuF+rKdJiAS6vdAhAhdoAU/ejEGZzCpbDwskw4E61kOMQ9/ LgWQan4Tfiyn6Sl21uNAJuY/6TdXYlMZ2Ko1IeZ3gfU9GqZOtUrd8paV+WOm9ATt MZggbP1v0mKOhovFyvKH8AcyRUVNlpt/+V0o7gop8iGDZVjnlrLw9qOyudLSbtbl 8GZA/ojPOgFFrbGNZ92tAu+JKFNFD2RpHmykInhbeAJ4MHkfvafuvrwGNRf9BoI/ mvmtLpPt38FkBfVAKgIv64iMg4wkX0eUi49TlIJbeBSG2BSCMhFzyDyAnfuLV7og L2nj+LSACXPapMgaJBarnSwuQRAD35CTZ67IqrbixJE8jEJ+J0XTfbXc41F1g+Ku z0ps9zWaKlOi7FKwuS0O9d77yTWjLeX/x8OcDlHxITjZoU4EwPm/iafqV2//CBo+ wvXecBa9wkbyoYCx39iW51leZ3bj1czPQCu+jJuFyvHwhEL14aZu+SQDePbT8aMq G5qk1bCCE55YeNC8E5jpNGVlg/7oaKc0xcp9KV3A5aZChsd4IiN90GI5N2iEEAk0 7Ma6iWZJS8aWnkX0LGfzfl9P3nDUAQGanrcnYzvCK0Tv8M2yrDA5V7Q44Xrv1A+/ UpbIhLpOLEQ= =HH74 -----END PGP SIGNATURE-----