Release Note for Adobe Commerce 2.4.7-p2 Security Patches

Release Note for Adobe Commerce 2.4.7-p2 Security Patches

These security patch release notes detail essential updates designed to strengthen the security of your Adobe Commerce deployment. The information covered includes, but is not limited to, the following:

• Bug fixes for security
• Highlights on security in order to provide more detail about enhancements for security patch included in this issue
• Various known issues
• Methods to apply additional patches when needed
• Details about any hot fixes included in the release

2.4.7-p2

The Adobe Commerce 2.4.7-p2 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.7.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-61.

Apply hotfix for CVE-2024-34102

Here is a detailed account for customers who have not included security patch made available on June 11, 2024.

Option 1: Apply one of the security patches released on June 11, 2024:

• 4.7-p1
• 4.6-p6
• 4.5-p8
• 4.4-p9

Ensure applying the hotfix released on July 17, 2024.

Rotate encryption keys

Option 2: Apply the isolated patch.

Rotate encryption keys.

Highlights

This release includes the following highlights:

1. Rate limiting for one-time passwords— The following new system configuration options are now available to enable rate limiting on two-factor authentication (2FA) one-time password (OTP) validation:

• Retry attempt limit for Two-Factor Authentication
• Two-Factor Authentication lockout time (seconds)

Adobe advises setting a threshold for 2FA OTP validation to limit the number of retry attempts to mitigate brute-force attacks. See Security > 2FA in the Configuration Reference Guide for more information.

2. Encryption key rotation—A new CLI command is now available for changing your encryption key. See the Troubleshooting Encryption Key Rotation: CVE-2024-34102 Knowledge Base article for details.

3. Fix for CVE-2020-27511—Resolves a Prototype.js security vulnerability.
4. Fix for CVE-2024-39397—Resolves a remote code execution security vulnerability. This vulnerability affects merchants using the Apache web server for on-premises or self-hosted deployments. This fix is also available as an isolated patch. See the Security update available for Adobe Commerce – APSB24-61 Knowledge Base article for details.

Hotfixes included in this release

This release includes the following hotfixes:

1. Hotfix to resolve a JavaScript error that prevented Google Maps from rendering properly in the PageBuilder editor. See the Revised patches for Google Maps access loss on all Adobe Commerce versions Knowledge Base article for details.

2. Hotfix to resolve a JSON web token (JWT) validation issue related to CVE-2024-34102. See the Security update available for Adobe Commerce-APSB24-40 Knowledge Base article for details.

For more details, visit: https://experienceleague.adobe.com/en/docs/commerce-operations/release/notes/security-patches/overview#about-adobe-commerce-security-patch-releases

More Links:

All About Adobe Commerce 2.4.7: https://www.idslogic.com/news/magento-2-4-7-release-note/

Adobe Commerce 2.4.7-p1: https://www.idslogic.com/news/adobe-commerce-2-4-7-security-patches-updates/