Magento 2.4.4 has arrived, and so have security patches for other recent versions of Magento and Adobe Commerce.
Magento 2.3.7-p3 and Magento 2.4.3-p2
These patches were released on April 12th, 2022, and address PRODSECBUG-3137, a Priority 3 security vulnerability which is also labeled as CVE-2022-24093.
You can learn more about Adobe’s security vulnerability rating system at https://helpx.adobe.com/security/severity-ratings.html.
If you’re not quite ready to upgrade to 2.4.4, here’s what you need to know:
While this is a critical vulnerability, as a priority 3, this vulnerability is not known to have been exploited in the wild. According to Adobe security bulletin APSB22-13, hackers would require authentication and admin privileges in order to take advantage of this arbitrary code execution vulnerability.
You can learn more about this security vulnerability at https://helpx.adobe.com/security/products/magento/apsb22-13.html
To summarize, you should not neglect to install this patch (it is important!), but this is not like the recent security patches which addressed vulnerabilities that did not require authentication or admin privileges and left a comparatively open door for hackers to exploit.
Magento and Adobe Commerce 2.4.4 have arrived, and include a wide variety of noteworthy updates. Here’s are the highlights:
- Support for PHP 8.1.
- Support for OpenSearch 1.2.
- Support for Elasticsearch 7.16.
- All remaining vendor-bundled extensions (except Braintree) have been removed.
- If you’re using services like Amazon Pay, dotdigital, Klarna, Vertex, and/or Yotpo, you’ll now need to install an extension.
- Over 240 quality fixes and enhancements.
- One security fix (addressing the same issue as the patches for 2.3.7 and 2.4.3).
- A wide variety of general security enhancements.
- Support for Venmo by PayPal.
- Accessibility improvements for shoppers and admins with disabilities and impairments, such as:
- Tooltip links with text and visible label.s
- Textual alternatives for icon images.
- Enhanced contrast in Admin buttons and form fields.
The full release notes are accessible at: https://devdocs.magento.com/guides/v2.4/release-notes/open-source-2-4-4.html
Overall, Adobe has been working to slim down the core Magento installation with the goal of making maintenance easier and allowing merchants to focus on extensions and themes for more advanced features.
It’s worth mentioning that there are backward-incompatible changes in this new version of Magento. For a list of backward-incompatible changes, please visit: https://devdocs.magento.com/guides/v2.4/release-notes/backward-incompatible-changes/index.html
You should also be aware of some changes which can impact your site, such as “…token-based authentication where the access token could be used on its own for bearer authentication of API requests when integrating with a third-party system that supports this kind of authentication.”. In simpler terms, they are deprecating never-expiring access tokens, as it’s much better to use OAuth for security reasons, and not these never-expiring tokens.
Another example is the removal of Email variable usage, which was deprecated back in Magento 2.3.4, and is completely removed in Magento 2.4.4. This could impact your existing Email templates in Magento.
Upgrading to Magento 2.4.4
Since Magento 2.4.4 is built to work with newer versions of PHP and other software, it’s best to make a copy of your website and work on upgrading your store within a separate development hosting environment. That will allow you to work with Magento 2.4.4 with its recommended supporting software and dependencies without impacting your live website.
For help setting up a development and/or staging environment, please contact your JetRails account manager, or simply open JetRails support ticket.
Adobe has been engaging in a variety of new relationships to enhance opportunities for Magento store owners to access best-in-class services and innovative technologies.
For instance, they’ve partnered up with Bolt, making Bolt’s Quick Checkout available to merchants of all sizes – from startups to enterprises. Merchants are currently being granted 90-day free trials of this service, so it’s a great time to test it out.
The Adobe team has also been working on their Channel Manager integration with Walmart. Their team has been putting a lot of focus on these partnerships, as 3rd party services and integrations have always been cornerstones in successful eCommerce businesses. If you are interested in learning more about Bolt, please reach out to your JetRails account manager.
What does the future look like?
Magento 2.4.5 is not scheduled for release until August 2022. There is not yet a release date for 2.4.6, or a 2.5 branch of Adobe Commerce and Magento Open Source. This is consistent with Adobe’s goal of publishing fewer versions, to keep the maintenance work and costs for operating a Magento store less of a hassle for merchants.
It’s likely that 2.4.4 and the upcoming 2.4.5 will be the only new versions of Magento Open Source and Adobe Commerce this year. It’s more likely that we’ll see smaller patches being released supplemental.
With that in mind, you’ll want to familiarize yourself with the Magento Quality Patches Tool. This resource is independent of security patches and can help you get the latest bug fixes and improvements for Magento Open Source and Adobe Commerce.
For a list of upcoming releases in 2022, please visit: https://devdocs.magento.com/release/