Release notes for Adobe Commerce 2.4.3 security patches

Last update: January 21, 2025

CREATED FOR:

  • Experienced
  • Admin
  • Developer

These security patch release notes capture updates to enhance the security of your Adobe Commerce deployment. Information includes, but is not limited to, the following:

  • Security bug fixes
  • Security highlights that provide more detail about enhancements and updates included in the security patch
  • Known issues
  • Instructions to apply additional patches if required
  • Information about any hot fixes included in the release

Learn more about security patch releases:

Adobe Commerce 2.4.3-p3

The Adobe Commerce 2.4.3-p3 security release provides security fixes for vulnerabilities that have been identified in previous releases of 2.4.3. This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB22-38.

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as a shipping carrier Knowledge Base article for information about downloading and installing the patch.

Security highlights

  • ACL resources have been added to the Inventory.
  • Inventory template security has been enhanced.

Adobe Commerce 2.4.3-p2

The Adobe Commerce 2.4.3-p2 security release provides security bug fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB22-13. The patch release also resolves the vulnerability addressed by MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip, MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip,MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch, and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as a shipping carrier Knowledge Base article for information about downloading and installing the patch.

Security highlights

  • Email variable usage was deprecated back in 2.3.4 as part of a security risk mitigation in favor of a more strict variable syntax. This legacy behavior has been fully removed in this release as a continuation of that security risk mitigation.

    As a result, email or newsletter templates that worked in previous versions may not work correctly after upgrading to Adobe Commerce 2.4.3-p2. Affected templates include admin overrides, themes, child themes, and templates from custom modules or third-party extensions. Your deployment may still be affected even after using the Upgrade compatibility tool to fix deprecated usages. See Migrating custom email templates for information about potential effects and guidelines for migrating affected templates.

  • OAuth access tokens and password reset tokens are now encrypted when stored in the database.

  • Validation has been strengthened to prevent the upload of non alpha-numeric file extensions.

  • Swagger is now disabled by default when Adobe Commerce is in production mode.

  • Developers can now configure the size limit for arrays accepted by Adobe Commerce RESTful endpoints on a per-endpoint basis. See API security.

  • Added mechanisms for limiting the size and number of resources that a user can request through a web API on a system-wide basis, and for overriding the defaults on individual modules. This enhancement resolves the issue addressed by MC-43048__set_rate_limits__2.4.3.patch. See API security.

2.4.3-p1

The Adobe Commerce 2.4.3-p1 security release provides security bug fixes for vulnerabilities that have been identified in the previous release (Adobe Commerce 2.4.3 and Magento Open Source 2.4.3). This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB21-86. The patch release also provides bug fixes for the Braintree, Klarna, and Vertex vendor-developed extensions.

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as a shipping carrier Knowledge Base article for information about downloading and installing the patch.

Hotfixes

This release includes the following hotfix, and all hotfixes that have been released for the preceding patch release.