Security Updates Available For Adobe Commerce APSB22-12

Magento Commerce and Open Source Editions have received high-priority security updates from Adobe. This follows the disclosure made by Sansec, an e-commerce malware and vulnerability detection company regarding a Magecart assault that infected 500 Magento1 sites with a credit card skimmer designed to siphon sensitive payment information. The severity of this issue is comparable to that of the Magento Shoplift vulnerability from 2015. In the days following the announcement of the Shoplift vulnerability, practically all unpatched Magento stores around the world were affected.

Adobe has identified this as CVE-2022-24086 vulnerability, which is an “Improper Input Validation” vulnerability that might be exploited by threat actors with administrative rights to execute arbitrary code on vulnerable systems. CVE-2022-24086 has a CVSS base score of 9.8/10 and is categorized as a pre-authentication issue, which means it can be exploited without credentials, this explains why it was rated as critical severity.

Adobe released a new security update on February 17th, addressing CVE-2022-24087, a new vulnerability with a CVSS base score of 9.8 and hence a critical severity rating.

In Adobe Commerce and Magento Open Source, the update patch can be deployed to the affected versions, 2.4.3-p1 and earlier versions (up to 2.3.3). Make sure to choose the right patch file according to the required Magento version.

Visit the official Adobe website by clicking here for more information on the updated vulnerability and security patches.

How To Apply Update Composer Patch For:

  1. Create a directory named “m2-hotfixes” in the project root 
  2. Copy the %patch_name%.composer.patch file(s) to the “m2-hotfixes” directory
  3. Add, commit, and push your code changes:

git add -A
git commit -m “Apply %patch_name%.composer.patch patch”
git push origin

 

git push origin

Adobe Commerce on-premises and Magento Open Source

  1. Upload the patch to your Adobe Commerce on-premises or Magento Open Source root directory
  2. Run the following SSH command:

    patch -p1 < %patch_name%.composer.patch

    (If the above command does not work, try using -p2 instead of -p1 )
  3. For the changes to be reflected, refresh the cache in the Admin under System > Cache Management

Pipeline

The problem with the second method is that this doesn’t work well with continuous integration as this command and the file have to be added to the deployment pipeline. To resolve this using the composer way, follow the below steps:

1. Install composer plugin

You add the composer plugin with this command:

composer require vaimo/composer

With this, the “Composer Patches” plugin by Cameron Eagans is installed. It allows you to apply patch files automatically.

2. Move patch files to “m2-hotfixes\magento” folder(s)

The patch files should be added to a new “m2-hotfixes” subdirectory to your Magento repository so it looks like this: 


3. Modifications to composer.json

We need to add a few new lines to the “extra” part of our project’s composer.json file:

"extra": {

     "magento-force": "override",

      "patches": {

         "*": {

             "Apply MDVA-43395": {

                 "source": "m2-hotfixes/magento/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch",

                 "targets": [

                     "magento/framework",

                     "magento/module-email"

                     ]

             },

             "Apply MDVA-43443": {

                 "source": "m2-hotfixes/magento/MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch",

                 "targets": [

                     "magento/framework",

                     "magento/module-email"

                     ],

                 "after": "MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch"

             }

         }

     }

}

Now you call “composer install” and the patches are applied automatically.

 

4. Optional:

This composer command updates the composer.lock file’s hash sum so it doesn’t appear as outdated:

composer update --lock

To improve performance and security of your e-commerce platform, Adobe also advises on upgrading the Commerce & Open Source editions to the latest versions. The software support for Magento 2.3 will end by September 2022, and the latest version Magento 2.4.4 will be available by March 2022.

Shriram M.S