Thursday, June 1, 2017

Security Release: Magento 2.1.7

The Magento project has released a new update that fixes several critical vulnerabilities. A few of the notable fixes include:

  • APPSEC-1686: Remote Code Execution in the Admin panel
  • APPSEC-1626: RCE in video upload
  • APPSEC-1746: Zend Mail vulnerability - continued
  • APPSEC-1565: Customer password hash exposed in admin
  • APPSEC-1752: Stored XSS in admin panel
  • APPSEC-1663: Mass actions do not follow ACL
  • APPSEC-1661: UI controllers do not follow ACL
  • APPSEC-1679: APIs vulnerable to CSRF
  • APPSEC-1559: Possible remote code execution in email reminders
  • APPSEC-1699: API tokens not invalidated after disabling admin user

We highly recommend upgrading your existing Magento Community Edition 2.0 sites. For more information about the security issues fixed within recently released update, Magento 2.1.7, please check out Magento's Security Center.

We have released Bitnami Magento 2.1.7 containers, installers, virtual machines and cloud images in order to address these security vulnerabilities. If you already have a running version of Bitnami Magento, you can upgrade the application by following the detailed steps through our documentation.

Users launching Bitnami Magento via a cloud marketplace are advised to select version 2.1.7, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have additional questions about Bitnami Magento, post to our community forum, and we will be happy to help you.