Stando alle notifiche da parte degli sviluppatori di Magento, sono stati resi noti 2 bug di sicurezza.
Di seguito il report ufficiale:
For customers impacted by the vulnerability, two courses of action are currently available:
- Two patches are available on Magento’s Enterprise Support Portal, or the Community Download Page:
- SUPEE-5344 – Addresses a potential remote code execution exploit (Added Feb 9, 2015)
- SUPEE-1533 – Addresses two potential remote code execution exploits (Added Oct 3, 2014)
- Use a Web Application Firewall, such as CloudFlare, to mitigate the vulnerability:https://blog.cloudflare.com/new-magento-waf-rule-rce-vulnerability-protection/
A compromise associated with this vulnerability can include the presence of unknown Magento administrative accounts in the Magento Admin control panel. For that reason, customers should verify all admin account email addresses for known accounts and reset passwords.