Magento Zend Framework Security Update
Recently, a serious vulnerability has become apparent in Magento’s Zend framework. Long story short, it grants would-be attackers the opportunity to read any file on the web server where Zend XMLRPC functionality is enabled. Password files, configuration files, and even databases could be at risk.
Don’t be a victim! We strongly recommend that all Magento merchants on a deployed platform take steps to counteract the security breach. Please apply the solution below that corresponds to your Magento version by carefully following the Instructions on Applying the Patch.
Magento Enterprise Edition
NOTE: all Enterprise Edition merchants should upgrade to the latest release to take advantage of the latest fixes and features.
Your Current Version Recommended Solution
EE 1.12.0.0+ Upgrade to the latest release
(Navigation: Downloads > Magento Enterprise Edition > Release; account login required)
EE 1.8.0.0 – 1.11.X.X Apply the Zend Security Upgrades patch
(Navigation: Downloads > Magento Enterprise Edition > Patches & Support; account login required)
Versions prior to EE 1.8.0.0 Implement the workaround detailed below
Magento Professional Edition
All versions of Professional Edition should apply the Zend Security Upgrades patch [link] (Navigation: Downloads > Magento Professional Edition > Patches & Support; account login required)
Magento Community Edition
NOTE: all Community Edition merchants should upgrade to the latest release to take advantage of the latest fixes and features.
Your Current Version Recommended Solution
CE 1.7.0.0+ Upgrade to the latest release
CE 1.5.0.0 – 1.6.X.X This link is no longer available
CE 1.4.2.0 Apply this patch
CE 1.4.0.0 – 1.4.1.1 Apply this patch
Versions prior to CE 1.4.0.0 Implement the workaround detailed below
Magento GO
Magento GO merchants will not need to make any updates, as all fixes are applied automatically via Magento’s backend.
Workaround
If for any reason an upgrade can’t be performed, or if an immediate patch isn’t an option, follow these instructions to temporarily disable the RPC functionality containing the vulnerability.
NOTE: this workaround can only be applied to CE versions 1.4 and below and EE versions 1.8 and below.
NOTE: any integrations relying on XMLRPC API functionality will also be disabled by this workaround.
- Navigate to the www-root on the Magento web server where Magento app files are stored
- Navigate to /app/code/core/Mage/Api/controllers
- Open XmlrepcController.php for editing
- Comment out or delete the body of the method: public indexAction()
- Save changes
Instructions on Applying the Patch
NOTE: if you’re running more than one web server, be sure to apply the patch to all servers.
- Navigate to the root of your Magento root directory: cd/home/mystore/public_html
- Download the appropriate patch from the provided link; wget –O patch_name.patch allows you to do it from the Unix command prompt
- Apply the patch: patch -p0 < patch_name.patch
Technical Clarification
You may notice that the development fix in CE 1.7.0.2 and EE 1.12.0.2 differ from the fix provided in the patches. In these releases, Magento decided not to modify the Zend library directly, but rather to override vulnerable methods within Magento code by adding two new classes:
- app/code/core/Zend/XmlRpc/Response.php
- app/code/core/Zend/XmlRpc/Request.php
This is to keep coherency in the underlying Zend Framework version 1.11.1 for Magento 1.X. Upcoming releases will feature upgraded Magento Zend Frameworks.
Some Final Notes
Users with existing IDS capability may monitor the RPC interface for attacks.
Contact us for a security analysis. We’d be glad to walk you through the process. Our diagnostic tools don’t stop there, either— Check out our Magento Health Check for some other great ways to optimize your Magento platform.
