Security update available for ÃÛ¶¹ÊÓƵ Commerce - APSB24-40
On July 17, 2024, we released a hotfix in addition to the security update release on June 11, 2024, and/or the isolated patch released on June 28, 2024.
Please check all production and non-production environments to help ensure your store is completely patched on all instances. Please take immediate action to resolve the vulnerability.
1. Make sure that you are on the latest version of ECE Tools. If you are not, upgrade (or skip to item 2). To check your existing version, run this command:
composer show magento/ece-tools2. If you are already on the latest version of ECE Tools, check for the presence of the
op-exclude.txt file. To do so, run this command:ls op-exclude.txt.If this file is not present, add https://github.com/magento/magento-cloud/blob/master/op-exclude.txt to your repo, then commit the change and redeploy.3. Without having to upgrade ECE Tools, you can also just add/modify https://github.com/magento/magento-cloud/blob/master/op-exclude.txt in your repo, then commit the change and redeploy.
Option 1 - For merchants who have not applied the security update from June 11, 2024, nor the isolated patch released on June 28, 2024
- Apply hotfix released on July 17, 2024.
- Apply the security patch.
- Enable maintenance mode.
- Disable cron execution (Commerce on Cloud command:
vendor/bin/ece-tools cron:disable). - Rotate your encryption keys.
- Flush the cache.
- Enable cron execution (Commerce on Cloud command:
vendor/bin/ece-tools cron:enable). - Disable maintenance mode.
OR
- Apply the isolated patch. NOTE: This version of the isolated patch contains the July 17, 2024, hotfix within it.
- Enable maintenance mode.
- Disable cron execution (Commerce on Cloud command:
vendor/bin/ece-tools cron:disable). - Rotate your encryption keys.
- Flush the cache.
- Enable cron execution (Commerce on Cloud command:
vendor/bin/ece-tools cron:enable). - Disable maintenance mode.
Option 2 - For merchants who have already applied the security update from June 11, 2024, and/or the isolated patch released on June 28, 2024
- Apply hotfix released on July 17, 2024.
- Enable maintenance mode.
- Disable cron execution (Commerce on Cloud command:
vendor/bin/ece-tools cron:disable). - Rotate your encryption keys.
- Flush the cache.
- Enable cron execution (Commerce on Cloud command:
vendor/bin/ece-tools cron:enable). - Disable maintenance mode.
Option 3 - For merchants who have already (1) applied the security update from June 11, 2024, and/or (2) the isolated patch released on June 28, 2024, and (3) rotated your encryption keys
- Apply the hotfix released on July 17, 2024.
1. Enable maintenance mode.
2. Disable cron execution (Commerce on Cloud command:
vendor/bin/ece-tools cron:disable).3. Rotate your encryption keys.
4. Enable cron execution (Commerce on Cloud command:
vendor/bin/ece-tools cron:enable).5. Disable maintenance mode.
In this article you will find how to implement the isolated patch for this issue for the current and earlier versions of ÃÛ¶¹ÊÓƵ Commerce and Magento Open Source.
NOTE: This version of the isolated patch contains the July 17, 2024, hotfix within it.
Affected products and versions
ÃÛ¶¹ÊÓƵ Commerce on Cloud, ÃÛ¶¹ÊÓƵ Commerce on-premise, and Magento Open Source:
- 2.4.7-p1 and earlier
- 2.4.6-p6 and earlier
- 2.4.5-p8 and earlier
- 2.4.4-p9 and earlier
Solution for ÃÛ¶¹ÊÓƵ Commerce on Cloud, ÃÛ¶¹ÊÓƵ Commerce on-premise Software, and Magento Open Source
To help resolve the vulnerability for the affected products and versions, you must apply the VULN-27015 patch (dependent on your version) and rotate your encryption keys.
Hotfix Details hotfix
- Download the Hotfix AC-12485_Hotfix_COMPOSER_patch.zip
Isolated Patch Details
NOTE: This version of the isolated patch contains the July 17, 2024, hotfix within it.
Use the following attached patches, depending on your ÃÛ¶¹ÊÓƵ Commerce/Magento Open Source version:
For version 2.4.7:
For versions 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5:
For versions 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7:
For versions 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8:
How to apply the isolated patch and the hotfix
Unzip the file and see How to apply a composer patch provided by ÃÛ¶¹ÊÓƵ in our support knowledge base for instructions.
For ÃÛ¶¹ÊÓƵ Commerce on Cloud merchants only - How to tell whether the isolated patches have been applied
Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the VULN-27015 isolated patch has been successfully applied.
You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:
-
Run the command:
-
You should see output similar to this, where VULN-27015 returns the  Applied  s³Ù²¹³Ù³Ü²õ:
code language-bash ║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Rotate/change the encryption key after applying the patch
For guidance on how to rotate/change the encryption key after applying the patch, please refer to Admin systems guide: Encryption key in the Commerce Admin Systems Guide documentation.
Additional guidance on securing your store and rotating encryption keys
For additional guidance on securing your store and rotating encryption keys regarding CVE-2024-34102, see Guidance on securing your store and rotating encryption keys: CVE-2024-34102, also in the ÃÛ¶¹ÊÓƵ Commerce Knowledge Base.
Security updates
Security updates available for ÃÛ¶¹ÊÓƵ Commerce:
Related reading
Enable or disable maintenance mode in the ÃÛ¶¹ÊÓƵ Commerce Installation Guide