Update: Zend Framework Vulnerability Security Update
As some questions have come up, we wanted to provide some clarification to the blog post “Important Security Update – Zend Platform Vulnerability” posted of July, 5, 2012.
As outlined in that post, all Magento merchants on a deployed platform are strongly recommended to protect themselves from the Zend Framework vulnerability.
We have added further instructions on how to protect your business. Please apply the solution below that corresponds to your version of Magento.
Magento Enterprise Edition
Magento Professional Edition
Magento Community Edition
Magento Go customers will not need to make any updates. All fixes will be applied automatically on the backend.
Instructions on Applying the Patch
*Note that if you are running more than one web server, the patch will need to be applied to all the servers.
If an upgrade cannot be performed or the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability.
Please note that this workaround can only be applied to versions of CE 1.4 and below and EE 1.8 and below.
Also, please be advised that any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.
As some of our experienced community members have discovered, the development fix in CE 184.108.40.206 and EE 220.127.116.11 differ from the fix provided in the patches. In the latest releases, we decided not modify the Zend library directly, but override vulnerable methods within Magento Code by adding two new classes:
We did this in order to keep coherency of the underlying Zend Framework version 1.11.1 for Magento 1.X. We are planning to upgrade the Zend Framework in Magento in the upcoming releases.
Comments are closed.