Release notes for Adobe Commerce 2.4.3 security patches

These security patch release notes capture updates to enhance the security of your Adobe Commerce deployment. Information includes, but is not limited to, the following:

  • Security bug fixes
  • Security highlights that provide more detail about enhancements and updates included in the security patch
  • Known issues
  • Instructions to apply additional patches if required
  • Information about any hot fixes included in the release

Learn more about security patch releases:

Adobe Commerce 2.4.3-p3

The Adobe Commerce 2.4.3-p3 security release provides security fixes for vulnerabilities that have been identified in previous releases of 2.4.3. This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB22-38.

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as a shipping carrier Knowledge Base article for information about downloading and installing the patch.

Security highlights

  • ACL resources have been added to the Inventory.
  • Inventory template security has been enhanced.

Adobe Commerce 2.4.3-p2

The Adobe Commerce 2.4.3-p2 security release provides security bug fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB22-13. The patch release also resolves the vulnerability addressed by MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip, MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip,MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch, and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as a shipping carrier Knowledge Base article for information about downloading and installing the patch.

Security highlights

  • Email variable usage was deprecated back in 2.3.4 as part of a security risk mitigation in favor of a more strict variable syntax. This legacy behavior has been fully removed in this release as a continuation of that security risk mitigation.

    As a result, email or newsletter templates that worked in previous versions may not work correctly after upgrading to Adobe Commerce 2.4.3-p2. Affected templates include admin overrides, themes, child themes, and templates from custom modules or third-party extensions. Your deployment may still be affected even after using the Upgrade compatibility tool to fix deprecated usages. See Migrating custom email templates for information about potential effects and guidelines for migrating affected templates.

  • OAuth access tokens and password reset tokens are now encrypted when stored in the database.

  • Validation has been strengthened to prevent the upload of non alpha-numeric file extensions.

  • Swagger is now disabled by default when Adobe Commerce is in production mode.

  • Developers can now configure the size limit for arrays accepted by Adobe Commerce RESTful endpoints on a per-endpoint basis. See API security.

  • Added mechanisms for limiting the size and number of resources that a user can request through a web API on a system-wide basis, and for overriding the defaults on individual modules. This enhancement resolves the issue addressed by MC-43048__set_rate_limits__2.4.3.patch. See API security.

2.4.3-p1

The Adobe Commerce 2.4.3-p1 security release provides security bug fixes for vulnerabilities that have been identified in the previous release (Adobe Commerce 2.4.3 and Magento Open Source 2.4.3). This release also includes security enhancements that improve compliance with the latest security best practices.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB21-86. The patch release also provides bug fixes for the Braintree, Klarna, and Vertex vendor-developed extensions.

Apply AC-3022.patch to continue offering DHL as a shipping carrier

DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as a shipping carrier Knowledge Base article for information about downloading and installing the patch.

Hotfixes

This release includes the following hotfix, and all hotfixes that have been released for the preceding patch release.

Security highlights

Session IDs have been removed from the database. This code change may result in breaking changes if merchants have customizations or installed extensions that use the raw session IDs stored in the database.

Restricted admin access to Media Gallery folders. Default Media Gallery permissions now allow only directory operations (view, upload, delete, and create) that are allowed explicitly by configuration. Admin users can no longer access media assets through the Media Gallery that were uploaded outside of the catalog/category or wysiwyg directories. Administrators who want to access media assets must move them to an explicitly allowed folder or adjust their configuration settings. See Modify Media Library folder permissions.

Lowered limits to GraphQL query complexity. The GraphQL maximum allowed query complexity has been lowered to prevent Denial-of-Service (DOS) attacks. See GraphQL security configuration.

Recent penetration test vulnerabilities have been fixed in this release.

The unsupported source expression unsafe-inline has been removed from the Content Security Policy frame-ancestors directive. GitHub-33101

recommendation-more-help
1d4eef6c-fef1-4e61-85eb-b58d7b9ac29f