ÃÛ¶¹ÊÓƵ

Security update available for ÃÛ¶¹ÊÓƵ Commerce - APSB24-61

On August 13, 2024, ÃÛ¶¹ÊÓƵ released a regularly scheduled security update for ÃÛ¶¹ÊÓƵ Commerce, Magento Open Source, and ÃÛ¶¹ÊÓƵ Commerce Webhooks Plugin. This update resolves vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read, security feature bypass, and privilege escalation. The bulletin is .

Note:  CVE-2024-39397, listed in the security bulletin above, is applicable only when using the Apache web server. To make it easier to apply the fix quickly, ÃÛ¶¹ÊÓƵ has also released an isolated patch that resolves CVE-2024-39397.

Please apply the latest security updates as soon as possible. If you fail to do so, you become vulnerable to these security issues, and ÃÛ¶¹ÊÓƵ has limited means to help remediate.

Note:  Please contact Support Services if you encounter any issues applying the security patch/Isolated patch.

Description description

Affected products and versions

ÃÛ¶¹ÊÓƵ Commerce on Cloud, ÃÛ¶¹ÊÓƵ Commerce on-premises, and Magento Open Source:

Resolution resolution

Solution for ÃÛ¶¹ÊÓƵ Commerce on Cloud, ÃÛ¶¹ÊÓƵ Commerce on-premises Software, and Magento Open Source

To help resolve the vulnerability for the affected products and versions, you must apply the CVE-2024-39397 Isolated patch.

Isolated Patch Details

Use the following attached Isolated patch:

How to apply the Isolated patch

Unzip the file and see How to apply a composer patch provided by ÃÛ¶¹ÊÓƵ in our support knowledge base for instructions.

For ÃÛ¶¹ÊÓƵ Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied

Considering that it’s not easy to check if the issue was patched, you might want to verify whether the CVE-2024-39397 isolated patch was successfully applied.

You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:

Security updates

Security updates available for ÃÛ¶¹ÊÓƵ Commerce: