ÃÛ¶¹ÊÓƵ

Release notes for ÃÛ¶¹ÊÓƵ Commerce 2.4.4 security patches

These security patch release notes capture updates to enhance the security of your ÃÛ¶¹ÊÓƵ Commerce deployment. Information includes, but is not limited to, the following:

  • Security bug fixes
  • Security highlights that provide more detail about enhancements and updates included in the security patch
  • Known issues
  • Instructions to apply additional patches if required
  • Information about any hot fixes included in the release

Learn more about security patch releases:

2.4.4-p11

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p11 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.4.

For the latest information about the security bug fixes, see .

NOTE
After installing this security patch, ÃÛ¶¹ÊÓƵ Commerce B2B merchants must also update to the latest compatible B2B security patch release. See B2B release notes.

Highlights

This release includes the following highlights:

  • TinyMCE upgrade—T³ó±ð WYSIWYG editor in the Admin now uses the latest version of the TinyMCE dependency (7.3​).

    • TinyMCE 7.3 offers an enhanced user experience, better collaboration, and increased efficiency. TinyMCE 5 has been removed in the 2.4.8 release line.​

    • Since there was a security vulnerability () reported in TinyMCE 5.10, the dependency was also upgraded for all currently supported release lines and included in all October 2024 security patches:

      • 2.4.7-p3
      • 2.4.6-p8
      • 2.4.5-p10
      • 2.4.4-p11
  • Require.js upgrade—ÃÛ¶¹ÊÓƵ Commerce now uses the latest version of Require.js (2.3.7).

    • Since there was a security vulnerability () reported in Require.js 2.3.6, the dependency was also upgraded for all currently supported release lines and included in all October 2024 security patches:

      • 2.4.7-p3
      • 2.4.6-p8
      • 2.4.5-p10
      • 2.4.4-p11
NOTE
These updates are backward compatible and should not impact customizations and extensions.​

2.4.4-p10

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p10 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.4.

For the latest information about the security bug fixes, see .

Highlights

This release includes the following highlights:

  • Rate limiting for one-time passwords—T³ó±ð following new system configuration options are now available to enable rate limiting on two-factor authentication (2FA) one-time password (OTP) validation:

    • Retry attempt limit for Two-Factor Authentication
    • Two-Factor Authentication lockout time (seconds)

    ÃÛ¶¹ÊÓƵ advises setting a threshold for 2FA OTP validation to limit the number of retry attempts to mitigate brute-force attacks. See Security > 2FA in the Configuration Reference Guide for more information.

  • Encryption key rotation—A new CLI command is now available for changing your encryption key. See the Troubleshooting Encryption Key Rotation: CVE-2024-34102 Knowledge Base article for details.

  • Fix for —Resolves a Prototype.js security vulnerability.

  • Fix for —Resolves a remote code execution security vulnerability. This vulnerability affects merchants using the Apache web server for on-premises or self-hosted deployments. This fix is also available as an isolated patch. See the Security update available for ÃÛ¶¹ÊÓƵ Commerce - APSB24-61 Knowledge Base article for details.

Hotfixes included in this release

This release includes the following hotfixes:

2.4.4-p9

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p9 security release provides security bug fixes for vulnerabilities that have been identified in previous releases of 2.4.4.

For the latest information about the security bug fixes, see .

Apply hotfix for CVE-2024-34102

IMPORTANT
This is an urgent update to our last communication regarding . ÃÛ¶¹ÊÓƵ is aware that CVE-2024-34102 has been exploited in the wild in very limited attacks targeting ÃÛ¶¹ÊÓƵ Commerce merchants. Take immediate action to resolve the vulnerability, if you have not done so.

For customers who have not applied security patch released on June 11, 2024 or the isolated patch released on June 28, 2024:

Option 1:

  1. Apply one of the security patches released on June 11, 2024:

  2. Apply the hotfix released on July 17, 2024.

  3. Rotate encryption keys.

Option 2:

  1. Apply the isolated patch.

  2. Rotate encryption keys.

For customers who have already applied a security patch released on June 11, 2024 or the isolated patch released on June 28, 2024:

  1. Apply the hotfix released on July 17, 2024.

  2. Rotate encryption keys.

For customers who have already 1) applied a security patch released on June 11, 2024 or, 2) the isolated patch released on June 28, 2024, and 3) rotated their encryption keys:

  1. Apply the hotfix released on July 17, 2024.

Platform upgrades

  • MariaDB 10.5 support. This patch release introduces compatibility with MariaDB version 10.5. ÃÛ¶¹ÊÓƵ Commerce is still compatible with MariaDB version 10.4, but ÃÛ¶¹ÊÓƵ recommends using ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p9 and all upcoming 2.4.4 security-only patch releases only with MariaDB version 10.5 because MariaDB 10.4 maintenance ends on June 18, 2024.

Highlights

  • Added Subresource Integrity (SRI) support to comply with PCI 4.0 requirements for verification of script integrity on payment pages. Subresource Integrity (SRI) support provides integrity hashes for all JavaScript assets residing in the local filesystem. The default SRI feature is implemented only on the payment pages for the Admin and storefront areas. However, merchants can extend the default configuration to other pages. See in the Commerce PHP Developer Guide.

  • Changes to Content Security Policy (CSP)—Configuration updates and enhancements to ÃÛ¶¹ÊÓƵ Commerce Content Security Policies (CSPs) to comply with PCI 4.0 requirements. For details, see in the Commerce PHP Developer Guide.

    • The default CSP configuration for payment pages for Commerce Admin and storefront areas is now restrict mode. For all other pages, the default configuration is report-only mode. In releases prior to 2.4.7, CSP was configured in report-only mode for all pages.

    • Added a nonce provider to allow execution of inline scripts in a CSP. The nonce provider facilitates the generation of unique nonce strings for each request. The strings are then attached to the CSP header.

    • Added options to configure custom URIs to report CSP violations for the Create Order page in the Admin and the Checkout page in the storefront. You can add the configuration from the Admin or by adding the URI to the config.xml file.

      note note
      NOTE
      Updating the CSP configuration to restrict mode might block existing inline scripts on payment pages in the Admin and storefront, which causes the following browser error when a page loads: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src. Fix these errors by updating the whitelist configuration to allow required scripts. See in the Commerce PHP Developer Guide.

2.4.4-p8

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p8 security release provides security bug fixes for your ÃÛ¶¹ÊÓƵ Commerce 2.4.4 deployment. These updates fix vulnerabilities that have been identified in previous releases.

For the latest information about the security bug fixes, see .

2.4.4-p7

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p7 security release provides security bug fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see .

Highlights

This release introduces two significant security enhancements:

  • Changes to the behavior of non-generated cache keys:

    • Non-generated cache keys for blocks now include prefixes that differ from prefixes for keys that are generated automatically. (Non-generated cache keys are keys that are set through template directive syntax or the setCacheKey or setData methods.)
    • Non-generated cache keys for blocks now must contain only letters, digits, hyphens (-), and underscore characters (_).
  • Limitations on the number of auto-generated coupon codes. Commerce now limits the number of coupon codes that are automatically generated. The default maximum is 250,000. Merchants can use the new Code Quantity Limit configuration option (Stores > Settings:Configuration > Customers > Promotions) to control this new limit.

2.4.4-p6

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p6 security release provides security bug fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see .

This release also includes security enhancements that improve compliance with the latest security best practices.

Highlights

This release introduces a new full page cache configuration setting that helps to mitigate the risks associated with the {BASE-URL}/page_cache/block/esi HTTP endpoint. This endpoint supports unrestricted, dynamically loaded content fragments from Commerce layout handles and block structures. The new Handles Param configuration setting sets the value of this endpoint’s handles parameter, which determines the maximum allowed number of handles per API. The default value of this property is 100. Merchants can change this value from the Admin (Stores > Settings: Configuration > System > Full Page Cache > Handles Param).

Known issues

Issue: ÃÛ¶¹ÊÓƵ Commerce displays a wrong checksum error during download by Composer from repo.magento.com, and package download is interrupted. This issue can occur during download of release packages that were made available during prerelease and is caused by a repackaging of the magento/module-page-cache package.

Workaround: Merchants who see this error during download can take these steps:

  1. Delete the /vendor directory inside the project, if one exists.
  2. Run the bin/magento composer update magento/module-page-cache command. This command updates only the page cache package.

If the checksum problem persists, remove the composer.lock file before re-running the bin/magento composer update command to update every package.

2.4.4-p5

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p5 security release provides security bug fixes for vulnerabilities that have been identified in previous releases.

For the latest information about the security bug fixes, see .

Apply hotfix for CVE-2022-31160

jQuery-UI library version 1.13.1 has a known security vulnerability (CVE-2022-31160) that affects multiple versions of ÃÛ¶¹ÊÓƵ Commerce and Magento Open Source. This library is a dependency of ÃÛ¶¹ÊÓƵ Commerce and Magento Open Source 2.4.4, 2.4.5, and 2.4.6. Merchants running affected deployments should apply the patch specified in the jQuery UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases Knowledge Base article.

2.4.4-p4

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p4 security release provides security bug fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements and platform upgrades to improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see .

Apply hotfix for CVE-2022-31160

jQuery-UI library version 1.13.1 has a known security vulnerability (CVE-2022-31160) that affects multiple versions of ÃÛ¶¹ÊÓƵ Commerce and Magento Open Source. This library is a dependency of ÃÛ¶¹ÊÓƵ Commerce and Magento Open Source 2.4.4, 2.4.5, and 2.4.6. Merchants running affected deployments should apply the patch specified in the jQuery UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases Knowledge Base article.

Highlights

The default behavior of the GraphQL query and () REST endpoint has changed. By default, the API now always returns true. Merchants can enable the original behavior, which is to return true if the email does not exist in the database and false if it exists.

Platform upgrades

Platform upgrades for this release improve compliance with the latest security best practices.

  • Varnish cache 7.3 support. This release is compatible with the latest version of Varnish Cache 7.3. Compatibility remains with the 6.0.x and 7u.2.x versions, but ÃÛ¶¹ÊÓƵ recommends using ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p4 only with Varnish Cache version 7.3 or version 6.0 LTS.

  • RabbitMQ 3.11 support. This release is compatible with the latest version of RabbitMQ 3.11. Compatibility remains with RabbitMQ 3.9, which is supported through August 2023, but ÃÛ¶¹ÊÓƵ recommends using ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p4 only with RabbitMQ 3.11.

  • JavaScript libraries. Outdated JavaScript libraries have been upgraded to the latest minor or patch versions, including moment.js library (v2.29.4), jQuery UI library (v1.13.2), and jQuery validation plugin library (v1.19.5).

2.4.4-p3

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p3 security release provides security bug fixes for vulnerabilities that have been identified in previous releases.

For the latest information about the security bug fixes, see .

2.4.4-p2

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p2 security release provides fixes for vulnerabilities that have been identified in previous releases. One fix includes the creation of a new configuration setting. The Require email confirmation if email has been changed configuration setting lets administrators require email confirmation when an admin user changes their email address.

For the latest information about the security bug fixes, see .

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. ÃÛ¶¹ÊÓƵ Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Knowledge Base article for information about downloading and installing the patch.

2.4.4-p1

The ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p1 security release provides fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements to improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see .t

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. ÃÛ¶¹ÊÓƵ Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Knowledge Base article for information about downloading and installing the patch.

Highlights

Security improvements for this release improve compliance with the latest security best practices, including:

  • ACL resources have been added to the Inventory.
  • Inventory template security has been enhanced.

Known issues

Issue: Web API and integration tests display this error when run on the 2.4.4-p1 package: [2022-06-14T16:58:23.694Z] PHP Fatal error: Declaration of Magento\TestFramework\ErrorLog\Logger::addRecord(int $level, string $message, array $context = []): bool must be compatible with Monolog\Logger::addRecord(int $level, string $message, array $context = [], ?Monolog\DateTimeImmutable $datetime = null): bool in /var/www/html/dev/tests/integration/framework/Magento/TestFramework/ErrorLog/Logger.php on line 69. Workaround: Install the previous version of Monolog by running the require monolog/monolog:2.6.0 command.

Issue: Merchants may notice package version downgrade notices during an upgrade from ÃÛ¶¹ÊÓƵ Commerce 2.4.4 to ÃÛ¶¹ÊÓƵ Commerce 2.4.4-p1. These messages can be ignored. The discrepancy in package versions results from anomalies during package generation. No product functionality has been affected. See the Knowledge Base article for a discussion of affected scenarios and workarounds.

recommendation-more-help
1d4eef6c-fef1-4e61-85eb-b58d7b9ac29f