Security enhancements

This release includes the same security fixes and platform security improvements that are included in Adobe Commerce 2.4.6-p5, 2.4.5-p7, and 2.4.4-p8. See Adobe Security Bulletin for the latest discussion of these fixed issues.

No confirmed attacks related to these issues have occurred to date. However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions. Most of these issues require that an attacker first obtains access to the Admin. As a result, we remind you to take all necessary steps to protect your Admin, including but not limited to these efforts:

Additional security enhancements

Security improvements for this release improve compliance with the latest security best practices.

  • Changes to the behavior of non-generated cache keys:

    • Non-generated cache keys for blocks now include prefixes that differ from prefixes for keys that are generated automatically. (Non-generated cache keys are keys that are set through template directive syntax or the setCacheKey or setData methods.)
    • Non-generated cache keys for blocks now must contain only letters, digits, hyphens (-), and underscore characters (_).
  • Limitations on the number of auto-generated coupon codes. Commerce now limits the number of coupon codes that are automatically generated. The default maximum is 250,000. Merchants can use the new Code Quantity Limit configuration option (Stores > Settings:Configuration > Customers > Promotions) to prevent potentially overwhelming the system with many coupons.

  • Optimization of the default Admin URL generation process. The generation of the default Admin URL has been optimized for increased randomness, which makes generated URLs less predictable.

  • Added Subresource Integrity (SRI) support to comply with PCI 4.0 requirements for verification of script integrity on payment pages. Subresource Integrity (SRI) support provides integrity hashes for all JavaScript assets residing in the local filesystem. The default SRI feature is implemented only on the payment pages for the Admin and storefront areas. However, merchants can extend the default configuration to other pages. See Subresource Integrity in the Commerce PHP Developer Guide.

  • Changes to Content Security Policy (CSP)—Configuration updates and enhancements to Adobe Commerce Content Security Policies (CSPs) to comply with PCI 4.0 requirements. For details, see Content Security Policies in the Commerce PHP Developer Guide.

    • The default CSP configuration for payment pages for Commerce Admin and storefront areas is now restrict mode. For all other pages, the default configuration is report-only mode. In releases prior to 2.4.7, CSP was configured in report-only mode for all pages.

    • Added a nonce provider to allow execution of inline scripts in a CSP. The nonce provider facilitates the generation of unique nonce strings for each request. The strings are then attached to the CSP header.

    • Added options to configure custom URIs to report CSP violations for the Create Order page in the Admin and the Checkout page in the storefront. You can add the configuration from the Admin or by adding the URI to the config.xml file.

      NOTE
      Updating the CSP configuration to restrict mode might block existing inline scripts on payment pages in the Admin and storefront, which causes the following browser error when a page loads: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src. Fix these errors by updating the whitelist configuration to allow required scripts. See Troubleshooting in the Commerce PHP Developer Guide.
  • A new full-page cache configuration setting can help to mitigate the risks associated with the HTTP {BASE-URL}/page_cache/block/esi endpoint. This endpoint supports unrestricted, dynamically loaded content fragments from Commerce layout handles and block structures. The new Handles params size configuration setting sets the value of this endpoint’s handles parameter, which determines the maximum allowed number of handles per API. The default value of this property is 100. Merchants can change this value from the Admin (Stores > Settings:Configuration > System > Full Page Cache > Handles params size). See Configure the Commerce application to use Varnish.

  • Native rate limiting for payment information transmitted through REST and GraphQL APIs. Merchants can now configure rate limiting for the payment information transmitted using REST and GraphQL. This added layer of protection supports prevention of carding attacks and potentially decreases the volume of carding attacks that test many credit card numbers at once. This is a change in the default behavior of an existing REST endpoint. See Rate limiting.

  • The default behavior of the isEmailAvailable GraphQL query and the (V1/customers/isEmailAvailable) REST endpoint has changed. By default, the APIs now always return true. Merchants can enable the original behavior by setting the Enable Guest Checkout Login option in the Admin to yes, but doing so can expose customer information to unauthenticated users.

Platform enhancements

Platform upgrades for this release improve compliance with the latest security best practices.

Adobe Commerce 2.4.7 includes the following platform upgrades:

  • PHP 8.3 compatibility. This release introduces support for PHP 8.3. Commerce now supports both PHP 8.3 and 8.2. PHP 8.2 will be supported until its End of Service (EOS) date in December 2025. After December 2025, all merchants running 2.4.7 deployments should migrate to PHP 8.3.

Adobe Commerce 2.4.7 is still compatible with PHP 8.1 for upgrade purposes only. PHP 8.1 is not supported and not recommended. Adobe Commerce 2.4.7 core code, all bundled extensions, and all Adobe-owned extensions and SaaS services are compatible with PHP 8.3.

  • RabbitMQ 3.13 support. This release is compatible with the latest version of RabbitMQ 3.13. Compatibility remains with RabbitMQ 3.11 and 3.12, which is supported through August 2024 and December 2024 respectively, but Adobe recommended using Adobe Commerce 2.4.7 only with RabbitMQ 3.13.

  • Composer 2.7.x. Compatibility with Composer 2.2.x remains.

  • Varnish cache 7.4 support. This release is compatible with the latest version of Varnish Cache 7.4. Compatibility remains with the 6.0.x and 7.2.x versions, but we recommended using Adobe Commerce 2.4.7 only with Varnish Cache version 7.4 or version 6.0 LTS.

  • Elasticsearch 8.11 compatibility

  • Opensearch 2.12 and OpenSearch 1.3 support

  • Redis 7.2

  • The extjs library has been replaced with the latest version of jsTree.

  • jquery/fileUpload library has been removed.

All JavaScript libraries and NPM dependencies in Adobe Commerce core code have been updated to the latest available versions. All Laminas library dependencies have been updated to the latest version that are compatible with PHP 8.3.

Additional upgrades

  • Multiple coupons per order support. Merchants can now configure the maximum number of coupons that can be applied per order with the new Maximum number of coupons per order configuration option. This value is set to 1 by default. You can now use REST or GraphQL to apply multiple coupons to a cart.

  • The Commerce UPS XML API gateway has been migrated to the new Commerce UPS REST API to support updates that UPS is making to their API security model. (UPS is implementing an OAuth 2.0 security model (bearer tokens) for all APIs.) All previous Commerce UPS XML APIs have been removed from the Adobe Commerce 2.4.7 code base.

  • Adobe Commerce integration with FedEx has been migrated from legacy FedEx WSDL Web Services to the latest FedEx RESTful APIs. FedEx Web Services Tracking, Address Validation, and Validate Postal Codes WSDLS will be retired in May 2024.

  • Added support for the new USPS Ground Advantage shipping method. This is an out-of-box integration with USPS’s new shipping method, USPS Ground Advantage, which was released July 2023. This new integration can be used to retrieve shipping rates and schedule deliveries and returns through the USPS shipping service. The USPS Ground Advantage shipping method replaces these shipping methods, which were retired when the USPS Ground Advantage shipping method was released:

    • USPS Retail Ground
    • First-Class Package Service
    • Parcel Select Ground
  • Temando shipping modules have been removed from the core Commerce code base. This feature was deprecated in Adobe Commerce 2.4.4.

Performance and scalability enhancements

Commerce 2.4.7 includes the following enhancements to Commerce performance and scalability:

  • Enterprise merchants can now configure up to one million active, coupon-based cart price rules in Adobe Commerce with no significant performance degradations of cart and checkout operations.

  • Enhanced indexer management. The new indexer:set-status command supports the dynamic management of indexer status. Admin users can use this command to change indexer status to suspended, invalid, or valid. This feature is particularly useful for managing system performance during extensive bulk operations, such as product imports or updates, by allowing control over when indexers are automatically triggered by the system’s cron jobs. See Manage the indexers.

  • Product listing page for complex products with many options. Load time has improved for product listing pages that include complex products with over 100 options. The performance of GraphQL requests to list products by category has also improved.

  • JSON format now supported for the REST Import API. Merchants can now import up to 100,000 records per minute into Adobe Commerce in JSON format.

  • Sales rule performance improvements. Improved performance of enterprise deployments with many (approximately 100,000) active sales rules. Enterprise deployments that heavily implement promotions often deploy many active cart rules. These types of enterprise deployments running Commerce 2.4.7 will not see any performance degradation related to the number of configured cart price rules during checkout operations.

  • Faster save operations of store-level configurations for deployments with many stores. Saving configuration settings in deployments with more than 500 stores can be time-consuming. The new Async Config module enables asynchronous configuration save operations by running a cron job that uses a consumer to process the save operation in a message queue. AsyncConfig is disabled by default.

  • Faster generation of the config cache for large configurations. The bin/magento cache:clean config command now pre-warms the config cache when the config cache is enabled. This reduces the downtime required to generate the config cache for large configurations. Configuration save operations no longer clean the config_scopes cache before writing data to the cache, which also reduces the time that other requests are locked out while config data is being written.