Update: Zend Framework Vulnerability Security Update

As some questions have come up, we wanted to provide some clarification to the blog post “Important Security Update – Zend Platform Vulnerability” posted of July, 5, 2012.

As outlined in that post, all Magento merchants on a deployed platform are strongly recommended to protect themselves from the Zend Framework vulnerability.

We have added further instructions on how to protect your business. Please apply the solution below that corresponds to your version of Magento.

Magento Enterprise Edition


  • As best practice, we recommend that all Enterprise Edition merchants upgrade if possible to the latest release (v1.12.0.2) to take advantage of the latest fixes and features.
  • Depending on your platform version, please find the appropriate solution for you:
YOUR CURRENT VERSION RECOMMENDED SOLUTION
EE 1.12.0.0+ Upgrade to the latest release (Navigate to Downloads > Magento Enterprise Edition > Release – account log-in is required)
EE 1.8.0.0 – 1.11.X.X Apply the Zend Security Upgrades patch (Navigate to Downloads > Magento Enterprise Edition > Patches & Support – account log-in is required)
Versions prior to EE 1.8.0.0 Implement the workaround (instructions below)

Magento Professional Edition


  • All versions of Professional Edition, please apply the Zend Security Upgrades patch (Navigate to Downloads > Magento Professional Edition > Patches & Support – account log-in is required)

Magento Community Edition


  • As a best practice, we recommend that all Community Edition merchants upgrade if possible to the latest release (v1.7.0.2) to take advantage of the latest fixes and features.
  • Depending on your platform version, please find the appropriate solution:
YOUR CURRENT VERSION RECOMMENDED SOLUTION
CE 1.7.0.0+ Upgrade to the latest release
CE 1.5.0.0 – 1.6.X.X Apply this patch
CE 1.4.2.0 Apply this patch
CE 1.4.0.0 – 1.4.1.1 Apply this patch
Versions prior to CE 1.4.0.0 Implement the workaround (instructions below)

Magento Go


Magento Go customers will not need to make any updates. All fixes will be applied automatically on the backend.

Instructions on Applying the Patch

  • 1. Go to the root of your Magento root directory: cd /home/mystore/public_html
  • 2. wget –O patch_name.patch
  • 3. Download the patch from the provided link appropriate for your version (this line allows you to do it from the Unix command prompt)
  • 4. Apply the patch: patch -p0 < patch_name.patch

*Note that if you are running more than one web server, the patch will need to be applied to all the servers.

Workaround

If an upgrade cannot be performed or the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability.

Please note that this workaround can only be applied to versions of CE 1.4 and below and EE 1.8 and below.

Also, please be advised that any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.

  • 1. On the Magento web server, navigate to the www-root where Magento app files are stored.
  • 2. In the wwwroot, navigate to /app/code/core/Mage/Api/controllers.
  • 3. Open XmlrpcController.php for editing.
  • 4. Comment out or delete the body of the method: public indexAction()
  • 5. Save the changes.

Technical Clarification

As some of our experienced community members have discovered, the development fix in CE 1.7.0.2 and EE 1.12.0.2 differ from the fix provided in the patches. In the latest releases, we decided not modify the Zend library directly, but override vulnerable methods within Magento Code by adding two new classes:

  • app/code/core/Zend/XmlRpc/Response.php
  • app/code/core/Zend/XmlRpc/Request.php

We did this in order to keep coherency of the underlying Zend Framework version 1.11.1 for Magento 1.X. We are planning to upgrade the Zend Framework in Magento in the upcoming releases.


Comments are closed.