Magento 2.3.4 Patches Critical Code Execution Vulnerabilities
Magento 2.3.4 was released this week with patches for six vulnerabilities, including three that are considered critical.
The first of these severe security issues is related to deserialization of untrusted data. Tracked as CVE-2020-3716, the bug could lead to arbitrary code execution.
Another critical flaw that could allow for the execution of arbitrary code is CVE-2020-3718, which Adobe describes as a security bypass issue.
The third critical vulnerability addressed in this release is an SQL injection that could lead to the disclosure of sensitive information, and which is tracked as CVE-2020-3719.
All of the remaining three vulnerabilities patched in Magento 2.3.4 are considered important and all three could result in the disclosure of sensitive information.
Tracked as CVE-2020-3715 and CVE-2020-3758, the first two are stored cross-site scripting (XSS) flaws, while the third one is a path traversal with the CVE number CVE-2020-3717.
These vulnerabilities were found to impact both Magento Commerce and Magento Open Source, versions 2.3.3 and earlier and 2.2.10 and earlier, as well as Magento Enterprise Edition 188.8.131.52 and earlier, and Magento Community Edition 184.108.40.206 and earlier.
With the previous quarterly release, Adobe also introduced security-only patches, which allow merchants to install time-sensitive vulnerability fixes without having to apply all of the functional patches and enhancements that are normally included in a full quarterly release.
Thus, fixes for the vulnerabilities that have been identified in Magento 2.3.3 were included in Patch 220.127.116.11 (Composer package 2.3.3-p1), a security-only patch that also includes all the hotfixes applied to the 2.3.3 release.
“Security-only patches include only security bug fixes, not the additional security enhancements that are included in the full patch,” the company underlines.
Starting with this quarterly release, security issues will be documented in an Adobe security bulletin, but no longer described in the Magento Security Center.
In an attempt to reduce attack surface and prevent remote code execution attacks, the new Magento version converts the Custom Layout Update field on the CMS Page Edit, Category Edit, and Product Edit pages to a selector.
“You can no longer specify an entity-specific layout update with text but instead must create a physical file that contains the layout updates and select it for use,” the Magento 2.3.4 release notes reveal.
Additionally, the content template features were redesigned to allow only for whitelisted variables to be added to templates. The goal is to prevent the inclusion in administrator-defined templates, such as email, newsletters, and CMS content, of variables and directives directly calling PHP functions on objects.
“No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin,” the release notes reveal.