Friday, March 29, 2019

Security release: Magento 2.3.1

The Magento project recently released new versions that fix several security vulnerabilities. The most important one is a critical SQL injection vulnerability, but these new versions also include over 30 security enhancements that help close cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues. A few of the notable fixes include:

  • PRODSECBUG-2198: SQL Injection vulnerability through an unauthenticated user
  • PRODSECBUG-2236: SQL Injection and cross-site scripting vulnerability in Catalog section (XSS)
  • PRODSECBUG-2192: Remote code execution though crafted newsletter and email templates
  • PRODSECBUG-2287: Remote code execution through email template

We highly recommend upgrading your existing Magento Community Edition 2.x sites. For more information about these security issues and many others fixed in Magento 2.3.1, please refer to this blog post in the Magento Security Center.

Bitnami has released Bitnami Magento 2.3.1 Helm charts, containers, installers, virtual machines, and cloud images in order to address these security vulnerabilities. If you already have Bitnami Magento running on any of these platforms, you can upgrade the application by following our documentation.

Users launching Bitnami Magento via a cloud provider's marketplace are advised to select version 2.3.1, once it is published. Installations based on previous versions will need to be upgraded as described above.

If you have additional questions about Bitnami Magento, post them in our community forum, and we will be happy to help you.