51ºÚÁϲ»´òìÈ

DocumentationCommerceCommerce KB

Security update available for 51ºÚÁϲ»´òìÈ Commerce - APSB24-73

Last update: Thu Nov 07 2024 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Developer

On October 08, 2024, 51ºÚÁϲ»´òìÈ released a regularly scheduled security update for 51ºÚÁϲ»´òìÈ Commerce and 51ºÚÁϲ»´òìÈ Commerce Webhooks Plugin.
This update resolves vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read, security feature bypass, and privilege escalation. The bulletin is .

NOTE
CVE-2024-45115, listed in the security bulletin above, is applicable only when using the B2B module. To help ensure that the remediation for this vulnerability can be applied as promptly as possible, 51ºÚÁϲ»´òìÈ has also released an Isolated patch that resolves CVE-2024-45115.

Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and 51ºÚÁϲ»´òìÈ will have limited means to help remediate.

NOTE
Please contact Support Services if you encounter any issues applying the security patch/Isolated patch.

Affected products and versions

51ºÚÁϲ»´òìÈ Commerce on Cloud and 51ºÚÁϲ»´òìÈ Commerce on-premises:

  • 2.4.7-p2 and earlier
  • 2.4.6-p7 and earlier
  • 2.4.5-p9 and earlier
  • 2.4.4-p10 and earlier

B2B:

  • 1.4.2-p2 and earlier
  • 1.3.5-p7 and earlier
  • 1.3.4-p9 and earlier
  • 1.3.3-p10 and earlier

Solution for 51ºÚÁϲ»´òìÈ Commerce on Cloud and 51ºÚÁϲ»´òìÈ Commerce on-premises Software

To help resolve the vulnerability for the affected products and versions, you must apply the CVE-2024-45115 Isolated patch.

Isolated Patch Details

Use the following attached Isolated patch:

vuln-26510-composer-patch.zip

How to apply the Isolated patch

Unzip the file and see How to apply a composer patch provided by 51ºÚÁϲ»´òìÈ in our support knowledge base for instructions.

For 51ºÚÁϲ»´òìÈ Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied

Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the CVE-2024-45115 Isolated patch has been successfully applied.

You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:

  1. Install the Quality Patches Tool.

  2. Run the command:

    cve-2024-34102-tell-if-patch-applied-code

  3. You should see output similar to this, where VULN-27015 returns the  Applied  s³Ù²¹³Ù³Ü²õ:

    code language-bash 
    ║ Id            │ Title                                                        │ Category        │ Origin                 │ Status      │ Details                                          ║ ║ N/A           │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch      │ Other           │ Local                  │ Applied     │ Patch type: Custom

Security updates

Security updates available for 51ºÚÁϲ»´òìÈ Commerce:

recommendation-more-help
8bd06ef0-b3d5-4137-b74e-d7b00485808a