Release notes for Adobe Commerce 2.4.5 security patches
These security patch release notes capture updates to enhance the security of your Adobe Commerce deployment. Information includes, but is not limited to, the following:
- Security bug fixes
- Security highlights that provide more detail about enhancements and updates included in the security patch
- Known issues
- Instructions to apply additional patches if required
- Information about any hot fixes included in the release
Learn more about security patch releases:
Adobe Commerce 2.4.5-p8
The Adobe Commerce 2.4.5-p7 security release provides security bug fixes for vulnerabilities that have been identified in previous releases of 2.4.5.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-40.
Platform upgrades
- MariaDB 10.5 support. This patch release introduces compatibility with MariaDB version 10.5. Adobe Commerce is still compatible with MariaDB version 10.4, but Adobe recommends using Adobe Commerce 2.4.5-p8 and all upcoming 2.4.5 security-only patch releases only with MariaDB version 10.5 because MariaDB 10.4 maintenance ends on June 18, 2024.
Additional security enhancements
-
Added Subresource Integrity (SRI) support to comply with PCI 4.0 requirements for verification of script integrity on payment pages. Subresource Integrity (SRI) support provides integrity hashes for all JavaScript assets residing in the local filesystem. The default SRI feature is implemented only on the payment pages for the Admin and storefront areas. However, merchants can extend the default configuration to other pages. See Subresource Integrity in the Commerce PHP Developer Guide.
-
Changes to Content Security Policy (CSP)—Configuration updates and enhancements to Adobe Commerce Content Security Policies (CSPs) to comply with PCI 4.0 requirements. For details, see Content Security Policies in the Commerce PHP Developer Guide.
-
The default CSP configuration for payment pages for Commerce Admin and storefront areas is now
restrictmode. For all other pages, the default configuration isreport-onlymode. In releases prior to 2.4.7, CSP was configured inreport-onlymode for all pages. -
Added a nonce provider to allow execution of inline scripts in a CSP. The nonce provider facilitates the generation of unique nonce strings for each request. The strings are then attached to the CSP header.
-
Added options to configure custom URIs to report CSP violations for the Create Order page in the Admin and the Checkout page in the storefront. You can add the configuration from the Admin or by adding the URI to the
config.xmlfile.note note NOTE Updating the CSP configuration to restrictmode might block existing inline scripts on payment pages in the Admin and storefront, which causes the following browser error when a page loads:Refused to execute inline script because it violates the following Content Security Policy directive: "script-src. Fix these errors by updating the whitelist configuration to allow required scripts. See Troubleshooting in the Commerce PHP Developer Guide.
-
Adobe Commerce 2.4.5-p7
The Adobe Commerce 2.4.5-p7 security release provides security bug fixes for vulnerabilities that have been identified in previous releases.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-18.
Adobe Commerce 2.4.5-p6
The Adobe Commerce 2.4.5-p6 security release provides security bug fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements to improve compliance with the latest security best practices.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-03.
Security highlights
This release introduces two significant security enhancements:
-
Changes to the behavior of non-generated cache keys:
- Non-generated cache keys for blocks now include prefixes that differ from prefixes for keys that are generated automatically. (Non-generated cache keys are keys that are set through template directive syntax or the
setCacheKeyorsetDatamethods.) - Non-generated cache keys for blocks now must contain only letters, digits, hyphens (-), and underscore characters (_).
- Non-generated cache keys for blocks now include prefixes that differ from prefixes for keys that are generated automatically. (Non-generated cache keys are keys that are set through template directive syntax or the
-
Limitations on the number of auto-generated coupon codes. Commerce now limits the number of coupon codes that are automatically generated. The default maximum is 250,000. Merchants can use the new Code Quantity Limit configuration option (Stores > Settings:Configuration > Customers > Promotions) to control this new limit.
Adobe Commerce 2.4.5-p5
The Adobe Commerce 2.4.5-p5 security release provides security bug fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements to improve compliance with the latest security best practices.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB23-50.
Security highlight
This release introduces a new full page cache configuration setting that helps to mitigate the risks associated with the {BASE-URL}/page_cache/block/esi HTTP endpoint. This endpoint supports unrestricted, dynamically loaded content fragments from Commerce layout handles and block structures. The new Handles Param configuration setting sets the value of this endpoint’s handles parameter, which determines the maximum allowed number of handles per API. The default value of this property is 100. Merchants can change this value from the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles Param).
Known issue
Issue: Adobe Commerce displays a wrong checksum error during download by Composer from repo.magento.com, and package download is interrupted. This issue can occur during download of release packages that were made available during prerelease and is caused by a repackaging of the magento/module-page-cache package.
Workaround: Merchants who see this error during download can take these steps:
- Delete the
/vendordirectory inside the project, if one exists. - Run the
bin/magento composer update magento/module-page-cachecommand. This command updates only thepage cachepackage.
If the checksum problem persists, remove the composer.lock file before re-running the bin/magento composer update command to update every package.
Adobe Commerce 2.4.5-p4
The Adobe Commerce 2.4.5-p4 security release provides security bug fixes for vulnerabilities that have been identified in previous releases.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB23-42.
Apply patch to resolve security vulnerability CVE-2022-31160 in jQuery-UI library
jQuery-UI library version 1.13.1 has a known security vulnerability (CVE-2022-31160) that affects multiple versions of Adobe Commerce and Magento Open Source. This library is a dependency of Adobe Commerce and Magento Open Source 2.4.4, 2.4.5, and 2.4.6. Merchants running affected deployments should apply the patch specified in the jQuery UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases Knowledge Base article.
Adobe Commerce 2.4.5-p3
The Adobe Commerce 2.4.5-p3 security release provides security fixes for vulnerabilities that have been identified in previous releases. This release also includes security enhancements that improve compliance with the latest security best practices.
For the latest information about the security bug fixes, see Adobe Security Bulletin.
Apply patch to resolve security vulnerability CVE-2022-31160 in jQuery-UI library
jQuery-UI library version 1.13.1 has a known security vulnerability (CVE-2022-31160) that affects multiple versions of Adobe Commerce and Magento Open Source. This library is a dependency of Adobe Commerce and Magento Open Source 2.4.4, 2.4.5, and 2.4.6. Merchants running affected deployments should apply the patch specified in the Query UI security vulnerability CVE-2022-31160 fix for 2.4.4, 2.4.5, and 2.4.6 releases Knowledge Base article.
Security highlight
The default behavior of the isEmailAvailable GraphQL query and (V1/customers/isEmailAvailable) REST endpoint has changed. By default, the API now always returns true. Merchants can enable the original behavior, which is to return true if the email does not exist in the database and false if it exists.
Platform upgrades
Platform upgrades for this release improve compliance with the latest security best practices.
-
Varnish cache 7.3 support. This release is compatible with the latest version of Varnish Cache 7.3. Compatibility remains with the 6.0.x and 7.2.x versions, but we recommended using Adobe Commerce 2.4.5-p3 only with Varnish Cache version 7.3 or version 6.0 LTS.
-
RabbitMQ 3.11 support. This release is compatible with the latest version of RabbitMQ 3.11. Compatibility remains with RabbitMQ 3.9, which is supported through August 2023, but we recommended using Adobe Commerce 2.4.5-p3 only with RabbitMQ 3.11.
-
JavaScript libraries. Outdated JavaScript libraries have been upgraded to the latest minor or patch versions, including
moment.jslibrary (v2.29.4),jQuery UIlibrary (v1.13.2), andjQueryvalidation plugin library (v1.19.5).
Adobe Commerce 2.4.5-p2 release notes
The Adobe Commerce 2.4.5-p2 security release provides three security fixes for vulnerabilities that have been identified in previous releases.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB23-17.
Adobe Commerce 2.4.5-p1
The Adobe Commerce 2.4.5-p1 security release provides security bug fixes for vulnerabilities that have been identified in the previous release (Adobe Commerce 2.4.5 and Magento Open Source 2.4.5).
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB22-48.
One of the security bug fixes included the creation of a new configuration setting. The Require email confirmation if email has been changed configuration setting lets administrators require email confirmation when an Admin user changes their email address.