Magento has released a bundle of patches that fix several vulnerabilities. The vulnerabilities addressed by the patch can be exploited by attackers to disclose confidential information and execute code remotely.

The bundle (SUPEE-5994) can be downloaded here and should be applied as soon as possible by users of Magento Community Edition and Magento Enterprise Edition.

It is important to note that the SUPEE-5994 Patch Bundle does not address the ShopLift vulnerability, which was fixed with the patch SUPEE-5344. Magento users should ensure that both sets of patches are applied to their Magento stores or they could be at risk of an RCE (remote code execution) attack.

Applying The Patch

To apply the patch:

Log in to your server via SSH.

Change directory to the root of your Magento install (yourdomain.com/html).

Execute the patch with the following command where the patch file name matches the version you have downloaded: ‘sh patch_file_name.sh’

Example:

sh PATCH_SUPEE-5994_CE_1.8.0.0_v1-2015-02-10-08-10-38.sh

Once installed, your Magento caches should be flushed. Re-compile if you are using the Magento compiler.

We also recommend first testing the patch on your development environment before placing it live on your production site.

As always, if you have any question, please feel free to email our support team at [email protected].

The Vulnerabilities

The SUPEE-5994 bundle contains eight patches, each of which fixes a vulnerability.

The patched vulnerabilities include several information leakage vulnerabilities, one of which could allow an attacker to obtain identifying information of customers, including names, addresses, and telephone numbers.

The patch bundle also fixes a number of remote code execution vulnerabilities.

• A cross-site scripting vulnerability (XSS) in the context of the Magento Connect Manager. If an administrator clicks on a malicious link, the session can be stolen and malicious extensions installed.
• A cross-site scripting vulnerability that could allow an attacker to execute JavaScript code in the context of a customer session. This is an extremely serious vulnerability that could be used to hijack user sessions, steal authentication cookies, expose personal information, and compromise the checkout process.

Full details of the vulnerabilities can be viewed on Magento’s patch announcement.

We ask all Magento users to please apply this patch as soon as possible, or seek assistance from someone who can. Instructions for doing so can be found here.