Adobe Commerce 2.3.7-p1 is a security release that provides security fixes that enhance your Adobe Commerce 2.3.7 or Magento Open Source 2.3.7 deployment. It provides fixes for vulnerabilities that have been identified in the previous patch release, Adobe Commerce 2.3.7 and Magento Open Source 2.3.7.
PHP 7.3 reached end of support in December 2021, and Adobe Commerce 2.3.x reaches end of support in April 2022. We strongly recommend planning your upgrade now to Adobe Commerce 2.4.x or Magento Open Source 2.4.x and PHP 7.4.x to help maintain PCI compliance.
AC-3022.patch to continue offering DHL as a shipping carrier
DHL has introduced schema version 6.2 and will deprecate schema version 6.0 in the near future. Adobe Commerce 2.4.4 and earlier versions that support the DHL integration support only version 6.0. Merchants deploying these releases should apply
AC-3022.patch at their earliest convenience to continue offering DHL as a shipping carrier. See the Apply a patch to continue offering DHL as shipping carrier Knowledge Base article for information about downloading and installing the patch.
Apply MC-43048__set_rate_limits__2.3.7-p1.patch to address issue with API rate limiting
This hotfix provides a solution for the issue where Web APIs cannot process requests that contain more than 20 items in an array. This issue affects deployments running Magento Open Source 2.4.3, Adobe Commerce 2.4.3, or Adobe Commerce 2.3.7-p1. Built-in rate limiting was added to these releases to prevent denial-of-service (DoS) attacks, and the default maximum was set to 20. This patch reverts the default limit to a higher value. If you suspect that your store is experiencing a DoS attack, Adobe recommends lowering the default input limits to a lower value to restrict the number of resources that can be requested. See the Web API unable to process requests with more than 20 items in array Knowledge Base article.
Apply AC-384__Fix_Incompatible_PHP_Method__2.3.7-p1_ce.patch to address PHP fatal error on upgrade
The following fatal error can occur during upgrade to Adobe Commerce 2.3.7-p1:
1 PHP Fatal error: Uncaught Error: Call to undefined function Magento\Framework\Filesystem\Directory\str_contains() in [...]/magento/vendor/magento/framework/Filesystem/Directory/DenyListPathValidator.php:74
This error results from the use of the
str_contains function, which is an PHP 8.x function. Adobe Commerce 2.3.7-p1 does not support PHP 8.x. This hotfix replaces this function with a supported PHP 7.x function. See the Adobe Commerce upgrade 2.4.3, 2.3.7-p1 PHP Fatal error Hotfix Knowledge Base article.
What’s in this release?
Seventeen security fixes and one security enhancement are included in this security patch. Fifteen of these fixes have been backported from Magento 2.4.3, and two fixes are specific to the 2.3.x product line. See Adobe Security Bulletin.
Rate limiting is now built in to Magento APIs to prevent denial-of-service (DoS) attacks. Web APIs now impose restrictions on the size or number of resources (the default limit is set to 20 and can be configured to a different value based on business need) that can be requested by a client. See Rate limiting for information about configuring these restrictions.
Security patches typically include all hotfixes that have been released for the preceding complete release. However, no hot fixes have been released for Adobe Commerce 2.3.7 and Magento Open Source 2.3.7.
Issue: Previously placed order price is displayed when a shopper tries to place an order with a different product using the PayPal payment method. Magento displays an incorrect order price when a shopper tries to use PayPal to pay for an order after first purchasing a different product. Shoppers can successfully place the first order, but during checkout for the second order, Magento displays the first order’s total price instead of the second order’s correct total. See Adobe Commerce 2.3.7-p1 known issue: outdated order total for PayPal.
Installation and upgrade instructions
For instructions on downloading and applying security patches (including patch 2.4.2-p1), see Quick start install.
For general information about security patches, see Introducing the New Security Patch Release.