Does CVE-2024-34102 sercurtiy update isolated with v2.3.4?

[GeordiHBG]

Summary

Firstly, I am not an expert of Magento, please forgive me if my question is silly, I have a online store on magento v2.3.4, it pops up the warning dialog for sercurity update of CVE-2024-34102, after looking through the guide, it seems Isolated to v2.4.x+, can anyone confirm does this sercurity update applies on version 2.3.4, or do I need to do anything about it.

Examples

not sure this is the right place to post my question, but I have been looking up for a support case but didn't find where to. please divert me to the right place if possible.

Proposed solution

No response

Release note

No response

Triage and priority

• [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
• [ ] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
• [X] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
• [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
• [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

[m2-assistant[bot]]

Hi @GeordiHBG. Thank you for your report. To speed up processing of this issue, make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

• @magento give me 2.4-develop instance - upcoming 2.4.x release
• For more details, review the Magento Contributor Assistant documentation.
• Add a comment to assign the issue: @magento I am working on this

• To learn more about issue processing workflow, refer to the Code Contributions.

  Join Magento Community Engineering Slack and ask your questions in #github channel. :warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting. :clock10: You can find the schedule on the Magento Community Calendar page. :telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

[hostep]

You should apply it in my opinion. If you want to be sure, add your shop to Magento's Security Scanner and trigger a scan. One of the things they scan for is to see if your site is vulnerable to this exploit. We've applied the patch to all our shops, regardless of if they are on Magento 2.3 or 2.4. Just to be on the safe side.

And you really should make plans to update to the very latest Magento version. Version 2.3.4 has hundreds of other security vulnerabilities by now, most of them won't be as critical as this one, but you should really start looking into upgrading to at least 2.4.7. The 2.4.7 release gets 3 years of security support, which was not the case with versions < 2.4.4, so if you are on 2.4.7, you'll keep getting easy-to-upgrade-to security releases every few months with security fixes until April 2027

[GeordiHBG]

@hostep Thank you very much for your advice, I have scheduled a security scan on my site, and I'd like to upgrade it to the latest of course, but not sure how to safely do that, will all the orders, users info will be kept in the new version? what if some thing unexcepted happened? what is the back up plan should be? I am on aws EC2 server. I am not an expert on that either. Any suggestion will be appreciated.

[hostep]

Orders & customer data will be kept, don't worry.

But having a backup of your database and codebase is a start, so you can roll back in case something goes wrong with the Magento upgrade.

Most professional teams working on Magento have a test or staging environment to test out Magento upgrades first for a couple of days/weeks, where they than can test if the upgrade didn't break anything and fix stuff until everything is working as expected.

Sorry, that's all I can offer for advise at the moment.

[m2-assistant[bot]]

Hi @engcom-Hotel. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

• [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).
• [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue.
• [ ] 3. Add Area: XXXXX label to the ticket, indicating the functional areas it may be related to.
• [ ] 4. Verify that the issue is reproducible on 2.4-develop branch
  Details

  - Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
  - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
  - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!
• [ ] 5. Add label Issue: Confirmed once verification is complete.
• [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

[engcom-Hotel]

Hello @GeordiHBG,

Thanks for the report and collaboration!

And @hostep I truely appreciate your suggestions here, thank you very much for this. 👍

@GeordiHBG I suppose that you have gone through with the @hostep's comment above, I completely agree with him. Please plan an upgrade to your Magento instance.

And the issue is not related to any core Magento library, hence we are closing it for now. Please let us know if you have any further queries on this.