Release notes for Adobe Commerce 2.4.7 security patches

These security patch release notes capture updates to enhance the security of your Adobe Commerce deployment. Information includes, but is not limited to, the following:

  • Security bug fixes
  • Security highlights that provide more detail about enhancements and updates included in the security patch
  • Known issues
  • Instructions to apply additional patches if required
  • Information about any hot fixes included in the release

Learn more about security patch releases:

2.4.7-p3

The Adobe Commerce 2.4.7-p3 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.7.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-73.

NOTE
After installing this security patch, Adobe Commerce B2B merchants must also update to the latest compatible B2B security patch release. See B2B release notes.

Highlights

This release includes the following highlights:

  • TinyMCE upgrade—The WYSIWYG editor in the Admin now uses the latest version of the TinyMCE dependency (7.3​).

    • TinyMCE 7.3 offers an enhanced user experience, better collaboration, and increased efficiency. TinyMCE 5 has been removed in the 2.4.8 release line.​

    • Since there was a security vulnerability (CVE-2024-38357) reported in TinyMCE 5.10, the dependency was also upgraded for all currently supported release lines and included in all October 2024 security patches:

      • 2.4.7-p3
      • 2.4.6-p8
      • 2.4.5-p10
      • 2.4.4-p11
  • Require.js upgrade—Adobe Commerce now uses the latest version of Require.js (2.3.7).

    • Since there was a security vulnerability (CVE-2024-38999) reported in Require.js 2.3.6, the dependency was also upgraded for all currently supported release lines and included in all October 2024 security patches:

      • 2.4.7-p3
      • 2.4.6-p8
      • 2.4.5-p10
      • 2.4.4-p11
NOTE
These updates are backward compatible and should not impact customizations and extensions.​

Hotfixes included in this release

This release includes a hotfix to resolve an issue with the Braintree payment gateway.

The system now includes the necessary fields to fulfill the 3DS VISA mandate requirements when using Braintree as a payment gateway. This ensures that all transactions comply with the latest security standards set by VISA. Previously, these additional fields were not included in the payment information sent, which could have led to non-compliance with the new VISA requirements.

2.4.7-p2

The Adobe Commerce 2.4.7-p2 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.7.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-61.

Highlights

This release includes the following highlights:

  • Rate limiting for one-time passwords—The following new system configuration options are now available to enable rate limiting on two-factor authentication (2FA) one-time password (OTP) validation:

    • Retry attempt limit for Two-Factor Authentication
    • Two-Factor Authentication lockout time (seconds)

    Adobe advises setting a threshold for 2FA OTP validation to limit the number of retry attempts to mitigate brute-force attacks. See Security > 2FA in the Configuration Reference Guide for more information.

  • Encryption key rotation—A new CLI command is now available for changing your encryption key. See the Troubleshooting Encryption Key Rotation: CVE-2024-34102 Knowledge Base article for details.

  • Fix for CVE-2020-27511—Resolves a Prototype.js security vulnerability.

  • Fix for CVE-2024-39397—Resolves a remote code execution security vulnerability. This vulnerability affects merchants using the Apache web server for on-premises or self-hosted deployments. This fix is also available as an isolated patch. See the Security update available for Adobe Commerce - APSB24-61 Knowledge Base article for details.

Hotfixes included in this release

This release includes the following hotfixes:

2.4.7-p1

The Adobe Commerce 2.4.7-p1 security release provides security bug fixes for vulnerabilities that have been identified in previous releases of 2.4.7.

For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-40.

Apply hotfix for CVE-2024-34102

IMPORTANT
This is an urgent update to our last communication regarding CVE-2024-34102. Adobe is aware that CVE-2024-34102 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants. Take immediate action to resolve the vulnerability, if you have not done so.

For customers who have not applied security patch released on June 11, 2024 or the isolated patch released on June 28, 2024:

Option 1:

  1. Apply one of the security patches released on June 11, 2024:

  2. Apply the hotfix released on July 17, 2024.

  3. Rotate encryption keys.

Option 2:

  1. Apply the isolated patch.

  2. Rotate encryption keys.

For customers who have already applied a security patch released on June 11, 2024 or the isolated patch released on June 28, 2024:

  1. Apply the hotfix released on July 17, 2024.

  2. Rotate encryption keys.

For customers who have already 1) applied a security patch released on June 11, 2024 or, 2) the isolated patch released on June 28, 2024, and 3) rotated their encryption keys:

  1. Apply the hotfix released on July 17, 2024.

Highlights

This release includes the following highlights:

  • Update one-time password (OTP) settings for Google Authenticator–This update is required to resolve an error that was introduced by a backward-incompatible change in 2.4.7. The description of the OTP Window field now provides an accurate explanation of the setting and the default value has been changed from 1 to 29.

  • B2B version compatibility—For compatibility with Commerce version 2.4.7-p1, merchants that have the Adobe Commerce B2B extension must upgrade to B2B version 1.4.2-p1.

Hotfixes included in this release

Adobe Commerce 2.4.7-p1 resolves an issue introduced in the scope of the UPS integration migration from SOAP to REST API. This issue affected customers who ship outside of the US and prevented them from using the Metric System/SI measurements of kilograms and centimeters for packages to create shipments with UPS. See the UPS shipping method integration migration from SOAP to RESTful API knowledge base article for details.

recommendation-more-help
1d4eef6c-fef1-4e61-85eb-b58d7b9ac29f