Security patch available

Merchants can now install time-sensitive security fixes without applying the hundreds of functional fixes and enhancements that a full quarterly release provides (for example, 2.4.1-p1). Patch 2.4.0.12 (Composer package 2.4.1-p1) is a security patch that provides fixes for vulnerabilities that have been identified in our previous quarterly release, 2.4.1. All hot fixes that were applied to the 2.4.1 release are included in this security patch. (A hot fix provides a fix to a released version that addresses a specific problem or bug.)

For general information about security patches, see Introducing the New Security Patch Release. For instructions on downloading and applying security patches (including patch 2.4.1-p1), see Quick start on-premises installation. Security patches include security bug fixes only, not the additional security enhancements that are included in the full patch.

Other release information

Although code for these features is bundled with quarterly releases , several of these projects (for example, B2B, Page Builder, and Progressive Web Applications (PWA) Studio) are also released independently. Bug fixes for these projects are documented in the separate, project-specific release information that is available in the documentation for each project.

Highlights

Look for the following highlights in this release.

Substantial security enhancements

This release includes over 35 security fixes and platform security improvements. All security fixes have been backported to 2.4.1-p1 and 2.3.6-p1.

Over 35 security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts: IP allowlisting, two-factor authentication, use of a VPN, the use of a unique location rather than /admin, and good password hygiene. See Adobe Security Bulletin for a discussion of these fixed issues.

Additional security enhancements

Security improvements for this release include:

  • All core cookies now support the SameSite attribute.

  • The application now displays messages that identify potentially malicious content in product and category description fields when the user tries to save values in these fields.

  • File system operations across Components have been standardized and hardened to prevent malicious uploads.

  • Core Content Security Policy (CSP) violations have been fixed.

NOTE
Starting with the 2.3.2 release, we will assign and publish indexed Common Vulnerabilities and Exposures (CVE) numbers with each security bug reported to us by external parties. This allows users to more easily identify unaddressed vulnerabilities in their deployment. You can learn more about CVE identifiers at CVE.

Infrastructure improvements

This release contains enhancements to core quality, which improve the quality of the Framework and these functional areas: Customer Account, Catalog, CMS, OMS, Import/Export, Promotions and Targeting, Cart and Checkout, B2B, and Staging and Preview.

Platform enhancements

  • Elasticsearch 7.9.x is now supported. Although we recommend running Elasticsearch 7.9.x, version 2.4.x remains compatible with Elasticsearch 7.4.x.

  • 2.4.2 has been tested with Varnish 6.4. Version 2.4.x remains compatible with Varnish 6.x.

  • Redis 6.x is now supported. Version 2.4.x remains compatible with Redis 5.x.

  • 2.4.2 is now compatible with Composer 2.x. We recommend that merchants migrate to Composer 2.x. Although you can install this release using Composer 1.x, Composer 1.x will soon reach end-of-life. For an overview of Composer 2.x features, see Composer 2.0 is now available!

The ability to configure an installation to use a split database has been deprecated in this release. Merchants who currently use split database should start planning to revert to or migrate to a single database or use an alternative approach. See the Deprecation of split database functionality in Adobe Commerce DevBlog post for an overview of this issue. See Revert from a split database to a single database for migration instructions.

Performance enhancements

This release includes code enhancements that boost API performance and Admin response time for deployments with large catalogs. Multiple scalability enhancements enable 2.4.2 to natively support complex catalogs up to 20x larger than in previous releases.

GraphQL

This release adds GraphQL coverage for the following features:

  • Added support for multiple wishlists. You can use GraphQL to create, delete, and rename wishlists as well as move or copy items between them.

  • Added support for returned merchandise authorizations (RMA). Shoppers can request a return. If the merchant accepts the request, the shopper can perform tasks such as adding a comment and add tracking information.

  • Added support for the following B2B features:

  • Added support for unions in GraphQL. GitHub-29425

  • Added support for comparison lists. Shoppers can create and delete comparison lists, and add and remove items to the comparison lists. In addition, shoppers that create a compare list as a guest can log in as a customer and retain their comparison lists.

  • Added the generateCustomerTokenAsAdmin mutation and updated the Customer object to support remote purchasing assistance.

  • Added localization support across stores to support tasks such as changing languages, carts, and currencies.

  • The GraphQL schema has been enhanced to optimize product data retrieval for configurable products with many variants.

  • Integer type object IDs have been deprecated in favor of uid attributes of type ID.

  • Added the staging attribute to the ProductInterface and CategoryInterface to determine if a product is staged and to view its associated campaign information.

See the GraphQL Developer Guide for details on these enhancements.

B2B

2.4.2 introduces B2B v1.3.1. This release includes support for online payments for purchase orders as well as multiple bug fixes.

Purchase orders can now be completed using online payment methods. B2B buyers are prompted to select their preferred payment method for each purchase order during the initial checkout. After the purchase order has been approved, buyers are prompted to enter payment details to convert the purchase order to a final order.

To support a complete workflow for accepting online payments, this feature also:

  • Overrides existing payment method templates during initial checkout to maintain PCI compliance.

  • Maintains compatibility with third-party, custom, and community-developed payment methods.

  • Notifies buyers by email when they need to add payment details to an approved purchase order.

  • Enables customization of emails from the Admin, which allows merchants to use templates that are consistent with their branding.

  • Introduces an Approved – Pending Payment state for purchase orders to clearly show when action is required.

  • Prevents discount codes from being added or removed at the final payment step, which ensures that the order total amount remains unchanged for approved purchase orders.

  • Allows buyers to change the payment method during the final payment step to maintain flexibility and increase conversion.

This release also includes multiple bug fixes. See B2B Release Notes.

PWA Studio

This release of PWA Studio includes:

  • Internationalization and localization. Venia now provides support for multiple languages and currencies.

  • Improved extensibility framework to support code changes through extensions.

  • Initial components for My Account related features such as Wishlist, Saved Payments, Address Book, and Order History.

  • Various performance optimizations and bug fixes.

For information about enhancements and bug fixes, see PWA Studio releases. See compatibility for a list of PWA Studio versions and their compatible versions.

Page Builder

This release includes enhancements to Page Builder content migration and Page Builder CSS customization:

  • Developers can now style content type output differently per viewport without using the !important directive.

  • Content migrated to Page Builder is no longer padded with default inline styling.

  • Page Builder no longer requires all content types to be placed within a row. The Page Builder stage is now initially blank and supports adding the following content types directly to the stage: Rows, Columns, Tabs, HTML Code, Blocks, Dynamic Blocks.

  • Predefined margins and paddings are no longer required for content types.

  • The new mobile viewport switcher and viewport scope for form field values lets users and developers perform these actions:

    • View content on different view ports when authoring.

    • Optimize minimum height field parameter on different content types for each viewport. (Only one parameter (min height) is supported out of the box. Custom development required to enable mobile optimization for other content parameters.)

    • Add field scope to custom fields and field sets (developers).

Interactive In-Product Guidance

Interactive In-Product Guidance provides merchants with usage tips and information from within the Admin on new feature announcements, walk-through guides, on-boarding information, and tool tips. Administrators must opt-in from the Admin to receive in-product guidance if this feature is not enabled. See Usage Data Collection and Admin Usage.

Adobe Stock Integration

This release includes Adobe Stock Integration v2.1.1.

New Role Resources for Media Gallery. This release provides merchants the ability to limit administrator access to only the Media gallery and to control who can perform these actions:

  • Insert media assets into content

  • Upload assets

  • Edit assets details

  • Delete assets from the Media Gallery

  • Manage folder structure.

Web-optimized images in content. Merchants can now use web-optimized image rendition in content instead of high resolution images. The original image remains unmodified in the Media Gallery, and the image rendition is dynamically generated when the image is inserted in the content.

AWS S3 support enhancements

Amazon Simple Storage Service (AWS S3) support has been enhanced to include support for:

Support for AWS S3 has been added to all modules including B2B, PageBuilder, and Adobe Stock Integration.

Functional Testing Framework (MFTF)

MFTF 3.2.1 is now available. This release introduces error tolerance in both tests and test suite generation. Additional enhancements and bug fixes are described in the Functional Testing Framework Changelog.

Order Management System (OMS)

The MCOM Connector is fully compatible with 2.4.2. Bug fixes and enhancements to the connector are described in Release notes for Connector. This release includes improvements to the OMS command-line interface, which now provides verbose information that partners and support teams can use to troubleshoot retry, queue_prune, order_sync, message process, and catalog export processes.

Vendor Developed Extensions

See the following articles for updates on features and changes for this release:

Fixed issues

We have fixed hundreds of issues in the 2.4.2 core code.

Installation, upgrade, deployment

  • Merchants can now successfully upgrade an Open Source deployment that runs MySQL 8.x to a Commerce deployment. Previously, the application threw an exception when AUTO_INCREMENT values reverted to initial values for all tables where row_id was added during upgrade.
  • The application now displays an error message that identifies the path that was used to create the patch if an error occurs when running bin/magento/setup:db:generate-patch. GitHub-27523
  • block_html, full_page, and layout caches are now disabled as expected after bin/magento/setup:upgrade execution. GitHub-28186
  • The minimum required PHP version in bootstrap.php has been updated. GitHub-30004
  • You can now execute bin/magento/setup:upgrade after installing sample data. Previously, when you tried to execute bin/magento/setup:upgrade, the application displayed this error: unable to apply data patch magento\catalogrulesampledata\setup\patch\data\installcatalogrulesampledata for module magento_catalogrulesampledata. The application also displayed this error in the system log: main.ERROR: Sample Data error: Unable to unserialize value. Error: Syntax error. GitHub-30685
  • You can now set a YouTube API key from the command line as expected. Previously, the applicationreturned this error when you tried to execute bin/magento config:sensitive:set catalog/product_video/youtube_api_key: There are no sensitive configurations to fill.
  • The application now honors the maxMessages values that are defined in queue_consumer.xml. Previously, the applicationused only the deployment configuration values. GitHub-29522
  • URL generation for a new store now works as expected when the store is created using bin/magento setup:config:import. Previously, URL rewrites were not generated in production environments. GitHub-30025
  • The application no longer displays this question when you run bin/magento setup:install to connect to existing database: Overwrite the existing configuration for db-ssl-verify?[Y/n]. GitHub-29612

AdminGWS

  • The Add New Rating button and the Save, Delete, Reset buttons are no longer available on the Stores > Attribute > Rating page for an administrator with restricted permissions.
  • The Admin now displays data only from websites that the logged-in administrator has permissions to. Previously, the Admin displayed data from all websites in the deployment.
  • All selected websites are now stored in gws_websites regardless of the size of the website ID. Previously, website IDs were truncated, and the list of selected websites was not stored in the database. User roles were not correctly saved, and the application displayed this error when a merchant tried to change and save a role: The "X" store ID is incorrect. Verify the store ID and try again.
  • The application now displays the correct item count in Admin grids for restricted admin users. Previously, counts displayed for these grids reflected data for all countries while the grids themselves displayed data from specific countries only. (This fix corrects an issue with Customers Segments, Catalog Price Rules, Cart Price Rules, All Users, Locked Users and User Roles grids.)
  • Administrators whose permissions exclude Magento_Catalog::edit_product_design (Edit Product Design) can now create a new product by saving an existing product with a new name in the selected store view. Previously, the application displayed this error: Not allowed to edit the product's design attributes. GitHub-28106
  • The application no longer displays the Add Attribute button on pages under Stores > Attributes when an administrator lacks the appropriate permissions to create these entities. Previously, the application threw a 404 error when a website administrator who did not have the appropriate permissions tried to create an Attribute Set or Customer attribute.
  • The application no longer throws an error when you try to change backend-frontname using the ssh container after installing Adobe Commerce. GitHub-26762