Important Security Update – Zend Platform Vulnerability
We have recently learned of a serious vulnerability in the Zend Framework on which Magento is built. This note provides information on how customers can access and install a patch that addresses this issue.
The vulnerability potentially allows an attacker to read any file on the web server where the Zend XMLRPC functionality is enabled. This might include password files, configuration files, and possibly even databases if they are stored on the same machine as the Magento web server.
We recommend that all Magento implementations install the latest patch appropriate for your platform:
If the patch cannot be applied immediately, the following instructions can be followed to temporarily disable the RPC functionality that contains the vulnerability. Please be advised, any integrations that rely on the XMLRPC API functionality will no longer work after this workaround is implemented.
Users with existing IDS capability may monitor the RPC interface to watch for attacks. As always, we recommend maintaining an up-to-date installation of the Magento platform as the best way stay secure.
The latest releases of Magento (Community Edition 188.8.131.52 and Enterprise Edition 184.108.40.206) incorporate the appropriate patches. please use correct versions of releases 220.127.116.11 and 18.104.22.168 .
Comments are closed.