Release notes for ÃÛ¶¹ÊÓƵ Commerce 2.4.7 security patches
These security patch release notes capture updates to enhance the security of your ÃÛ¶¹ÊÓƵ Commerce deployment. Information includes, but is not limited to, the following:
- Security bug fixes
- Security highlights that provide more detail about enhancements and updates included in the security patch
- Known issues
- Instructions to apply additional patches if required
- Information about any hot fixes included in the release
Learn more about security patch releases:
- ÃÛ¶¹ÊÓƵ Commerce Security Patch Releases overview
- Instructions for downloading and applying security patch releases are available in the Upgrade Guide
2.4.7-p3
The ÃÛ¶¹ÊÓƵ Commerce 2.4.7-p3 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.7.
For the latest information about the security bug fixes, see .
Highlights
This release includes the following highlights:
-
TinyMCE upgrade—T³ó±ð WYSIWYG editor in the Admin now uses the latest version of the TinyMCE dependency (7.3​).
-
TinyMCE 7.3 offers an enhanced user experience, better collaboration, and increased efficiency. TinyMCE 5 has been removed in the 2.4.8 release line.​
-
Since there was a security vulnerability () reported in TinyMCE 5.10, the dependency was also upgraded for all currently supported release lines and included in all October 2024 security patches:
- 2.4.7-p3
- 2.4.6-p8
- 2.4.5-p10
- 2.4.4-p11
-
-
Require.js upgrade—ÃÛ¶¹ÊÓƵ Commerce now uses the latest version of Require.js (2.3.7).
-
Since there was a security vulnerability () reported in Require.js 2.3.6, the dependency was also upgraded for all currently supported release lines and included in all October 2024 security patches:
- 2.4.7-p3
- 2.4.6-p8
- 2.4.5-p10
- 2.4.4-p11
-
Hotfixes included in this release
This release includes a hotfix to resolve an issue with the Braintree payment gateway.
The system now includes the necessary fields to fulfill the 3DS VISA mandate requirements when using Braintree as a payment gateway. This ensures that all transactions comply with the latest security standards set by VISA. Previously, these additional fields were not included in the payment information sent, which could have led to non-compliance with the new VISA requirements.
2.4.7-p2
The ÃÛ¶¹ÊÓƵ Commerce 2.4.7-p2 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.7.
For the latest information about the security bug fixes, see .
Highlights
This release includes the following highlights:
-
Rate limiting for one-time passwords—T³ó±ð following new system configuration options are now available to enable rate limiting on two-factor authentication (2FA) one-time password (OTP) validation:
- Retry attempt limit for Two-Factor Authentication
- Two-Factor Authentication lockout time (seconds)
ÃÛ¶¹ÊÓƵ advises setting a threshold for 2FA OTP validation to limit the number of retry attempts to mitigate brute-force attacks. See Security > 2FA in the Configuration Reference Guide for more information.
-
Encryption key rotation—A new CLI command is now available for changing your encryption key. See the Troubleshooting Encryption Key Rotation: CVE-2024-34102 Knowledge Base article for details.
-
Fix for —Resolves a Prototype.js security vulnerability.
-
Fix for —Resolves a remote code execution security vulnerability. This vulnerability affects merchants using the Apache web server for on-premises or self-hosted deployments. This fix is also available as an isolated patch. See the Security update available for ÃÛ¶¹ÊÓƵ Commerce - APSB24-61 Knowledge Base article for details.
Hotfixes included in this release
This release includes the following hotfixes:
-
Hotfix to resolve a JavaScript error that prevented Google Maps from rendering properly in the PageBuilder editor. See the Revised patches for Google Maps access loss on all ÃÛ¶¹ÊÓƵ Commerce versions Knowledge Base article for details.
-
Hotfix to resolve a JSON web token (JWT) validation issue related to CVE-2024-34102. See the Security update available for ÃÛ¶¹ÊÓƵ Commerce-APSB24-40 Knowledge Base article for details.
2.4.7-p1
The ÃÛ¶¹ÊÓƵ Commerce 2.4.7-p1 security release provides security bug fixes for vulnerabilities that have been identified in previous releases of 2.4.7.
For the latest information about the security bug fixes, see .
Apply hotfix for CVE-2024-34102
For customers who have not applied security patch released on June 11, 2024 or the isolated patch released on June 28, 2024:
Option 1:
Option 2:
-
Apply the isolated patch.
-
Rotate encryption keys.
For customers who have already applied a security patch released on June 11, 2024 or the isolated patch released on June 28, 2024:
For customers who have already 1) applied a security patch released on June 11, 2024 or, 2) the isolated patch released on June 28, 2024, and 3) rotated their encryption keys:
- Apply the hotfix released on July 17, 2024.
Highlights
This release includes the following highlights:
-
Update one-time password (OTP) settings for Google Authenticator–This update is required to resolve an error that was introduced by a in 2.4.7. The description of the OTP Window field now provides an accurate explanation of the setting and the default value has been changed from
1to29. -
B2B version compatibility—For compatibility with Commerce version 2.4.7-p1, merchants that have the ÃÛ¶¹ÊÓƵ Commerce B2B extension must upgrade to B2B version 1.4.2-p1.
Hotfixes included in this release
ÃÛ¶¹ÊÓƵ Commerce 2.4.7-p1 resolves an issue introduced in the scope of the UPS integration migration from SOAP to REST API. This issue affected customers who ship outside of the US and prevented them from using the Metric System/SI measurements of kilograms and centimeters for packages to create shipments with UPS. See the UPS shipping method integration migration from SOAP to RESTful API knowledge base article for details.