Release notes for Adobe Commerce 2.4.7 security patches
These security patch release notes capture updates to enhance the security of your Adobe Commerce deployment. Information includes, but is not limited to, the following:
- Security bug fixes
- Security highlights that provide more detail about enhancements and updates included in the security patch
- Known issues
- Instructions to apply additional patches if required
- Information about any hot fixes included in the release
Learn more about security patch releases:
- Adobe Commerce Security Patch Releases overview
- Instructions for downloading and applying security patch releases are available in the Upgrade Guide
2.4.7-p3
The Adobe Commerce 2.4.7-p3 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.7.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-73.
Highlights
This release includes the following highlights:
-
TinyMCE upgrade—The WYSIWYG editor in the Admin now uses the latest version of the TinyMCE dependency (7.3).
-
TinyMCE 7.3 offers an enhanced user experience, better collaboration, and increased efficiency. TinyMCE 5 has been removed in the 2.4.8 release line.
-
Since there was a security vulnerability (CVE-2024-38357) reported in TinyMCE 5.10, the dependency was also upgraded for all currently supported release lines and included in all October 2024 security patches:
- 2.4.7-p3
- 2.4.6-p8
- 2.4.5-p10
- 2.4.4-p11
-
-
Require.js upgrade—Adobe Commerce now uses the latest version of Require.js (2.3.7).
-
Since there was a security vulnerability (CVE-2024-38999) reported in Require.js 2.3.6, the dependency was also upgraded for all currently supported release lines and included in all October 2024 security patches:
- 2.4.7-p3
- 2.4.6-p8
- 2.4.5-p10
- 2.4.4-p11
-
Hotfixes included in this release
This release includes a hotfix to resolve an issue with the Braintree payment gateway.
The system now includes the necessary fields to fulfill the 3DS VISA mandate requirements when using Braintree as a payment gateway. This ensures that all transactions comply with the latest security standards set by VISA. Previously, these additional fields were not included in the payment information sent, which could have led to non-compliance with the new VISA requirements.
2.4.7-p2
The Adobe Commerce 2.4.7-p2 security release provides security bug fixes for vulnerabilities identified in previous releases of 2.4.7.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-61.
Highlights
This release includes the following highlights:
-
Rate limiting for one-time passwords—The following new system configuration options are now available to enable rate limiting on two-factor authentication (2FA) one-time password (OTP) validation:
- Retry attempt limit for Two-Factor Authentication
- Two-Factor Authentication lockout time (seconds)
Adobe advises setting a threshold for 2FA OTP validation to limit the number of retry attempts to mitigate brute-force attacks. See Security > 2FA in the Configuration Reference Guide for more information.
-
Encryption key rotation—A new CLI command is now available for changing your encryption key. See the Troubleshooting Encryption Key Rotation: CVE-2024-34102 Knowledge Base article for details.
-
Fix for CVE-2020-27511—Resolves a Prototype.js security vulnerability.
-
Fix for CVE-2024-39397—Resolves a remote code execution security vulnerability. This vulnerability affects merchants using the Apache web server for on-premises or self-hosted deployments. This fix is also available as an isolated patch. See the Security update available for Adobe Commerce - APSB24-61 Knowledge Base article for details.
Hotfixes included in this release
This release includes the following hotfixes:
-
Hotfix to resolve a JavaScript error that prevented Google Maps from rendering properly in the PageBuilder editor. See the Revised patches for Google Maps access loss on all Adobe Commerce versions Knowledge Base article for details.
-
Hotfix to resolve a JSON web token (JWT) validation issue related to CVE-2024-34102. See the Security update available for Adobe Commerce-APSB24-40 Knowledge Base article for details.
2.4.7-p1
The Adobe Commerce 2.4.7-p1 security release provides security bug fixes for vulnerabilities that have been identified in previous releases of 2.4.7.
For the latest information about the security bug fixes, see Adobe Security Bulletin APSB24-40.
Apply hotfix for CVE-2024-34102
For customers who have not applied security patch released on June 11, 2024 or the isolated patch released on June 28, 2024:
Option 1:
Option 2:
-
Apply the isolated patch.
-
Rotate encryption keys.
For customers who have already applied a security patch released on June 11, 2024 or the isolated patch released on June 28, 2024:
For customers who have already 1) applied a security patch released on June 11, 2024 or, 2) the isolated patch released on June 28, 2024, and 3) rotated their encryption keys:
- Apply the hotfix released on July 17, 2024.
Highlights
This release includes the following highlights:
-
Update one-time password (OTP) settings for Google Authenticator–This update is required to resolve an error that was introduced by a backward-incompatible change in 2.4.7. The description of the OTP Window field now provides an accurate explanation of the setting and the default value has been changed from
1to29. -
B2B version compatibility—For compatibility with Commerce version 2.4.7-p1, merchants that have the Adobe Commerce B2B extension must upgrade to B2B version 1.4.2-p1.
Hotfixes included in this release
Adobe Commerce 2.4.7-p1 resolves an issue introduced in the scope of the UPS integration migration from SOAP to REST API. This issue affected customers who ship outside of the US and prevented them from using the Metric System/SI measurements of kilograms and centimeters for packages to create shipments with UPS. See the UPS shipping method integration migration from SOAP to RESTful API knowledge base article for details.