Magento Warns Merchants Of Possible Security Risk
This morning, Magento notified Community Edition users of a potential exploit in the system discovered by Check Point Software Technologies.
As the vulnerability might be revealed to public soon, the company prompted Magento merchants to make sure they have installed 2 vital security-related patches Magento released in the past.
Magento users should get a pop-up with this information in their admin panel as well as get notified by email. Below please find the text of the email sent by Magento:
If you have not done so already, download and install 2 previously-released patches that address potential Magento software security risks. The patches prevent an attacker from remotely executing code on Magento software. These issues affect all versions of Magento Community Edition.
Check Point Software Technologies has informed us that they plan to send out a press release in the coming days making one of the security issues widely known, possibly alerting hackers who may try to exploit the issue. While we have not received any reports of merchants being impacted by the security risks, it’s important to ensure the patches are in place as a preventative measure before the issue is publicized.
RECOMMENDED NEXT STEPS:
- Check for unknown files in the web server document root directory. If you find any, you may be impacted.
- Download and implement 2 patches from the Magento Community Edition download page.
- SUPEE-5344 – Addresses a potential remote code execution exploit (Added Feb 9, 2015)
- SUPEE-1533 – Addresses two potential remote code execution exploits (Added Oct 3, 2014)
Note: Different versions of the patch are available for Magento Community Edition 1.4.x through 1.9.x.
- Implement and test the patches in a development environment first to confirm that they work as expected before deploying them to your production site.
Magento takes security seriously and will continue to actively work to identify and resolve potential issues.