Magento 2.4.7-p2

14 August 2024

Magento version 2.4.7-p2 is now available (security release).

Upgrading to Magento 2.4.7-p2

What's New in Magento 2.4.7-p2

• Rate limiting for one-time passwords—The following new system configuration options are now available to enable rate limiting on two-factor authentication (2FA) one-time password (OTP) validation:
  
• Retry attempt limit for Two-Factor Authentication
  
• Two-Factor Authentication lockout time (seconds)
  
• Adobe advises setting a threshold for 2FA OTP validation to limit the number of retry attempts to mitigate brute-force attacks. See Security > 2FA in the Configuration Reference Guide for more information.
  
• Encryption key rotation—A new CLI command is now available for changing your encryption key. See the Troubleshooting Encryption Key Rotation: CVE-2024-34102 Knowledge Base article for details.
  
• Fix for CVE-2020-27511—Resolves a Prototype.js security vulnerability.
  
• Fix for CVE-2024-39397—Resolves a remote code execution security vulnerability. This vulnerability affects merchants using the Apache web server for on-premises or self-hosted deployments. This fix is also available as an isolated patch. See the Security update available for Adobe Commerce - APSB24-61 Knowledge Base article for details.
  

• Hotfix to resolve a JavaScript error that prevented Google Maps from rendering properly in the PageBuilder editor. See the Revised patches for Google Maps access loss on all Adobe Commerce versions Knowledge Base article for details.
  
• Hotfix to resolve a JSON web token (JWT) validation issue related to CVE-2024-34102. See the Security update available for Adobe Commerce-APSB24-40 Knowledge Base article for details.