Security Vulnerability in Zend Framework
The Zend Framework announced a potential remote code execution on December 20, 2016. Magento followed up with an announcement on January 13, 2017, explaining that this exploit makes Magento 1 and Magento 2 installations vulnerable if the zend-mail function is used in combination with the Sendmail binary.
In conjunction with the original announcement on December 20, 2016, Zend Framework also released patched software that resolves the vulnerability.The patch versions are listed below:
- zend-mail, starting in version 2.7.2
- zend-mail, 2.4.11
- Zend Framework, 2.4.11
At Simple Helix, we take security matters very seriously. Shortly after the patches were released, they were applied to all hosted servers that we manage. Additionally, we are not using the Sendmail binary on any hosted server as it has been considered insecure for some time now.
Although your site should not be vulnerable to this exploit already, if you would like to discuss this further please contact us and we would be happy to review your site.