Table of Contents
If you are running your store on Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), then your store is at high risk!
On Sunday, Feb 13, 2022, Adobe released an emergency security patch for the Magento stores to fix the newly discovered RCE bug in the Adobe Commerce and Magento Open Source. “These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution,” declared Adobe.
Affected products and versions
- Adobe Commerce and Magento Open Source 2.3.3-p1-2.3.7-p2 and 2.4.0-2.4.3-p1
A zero-day bug is being exploited in the above-mentioned versions of Magento in the wild by the attackers, which has forced Adobe to roll out emergency security patches to secure the stores.
The detected RCE bug can allow the attackers to execute arbitrary codes on the stores and harm them. Here is how you can secure your online Magento store from the Adobe RCE bug.
Security update available for Adobe Commerce | APSB22-12
|
Bulletin ID |
Date Published |
Priority |
|---|---|---|
|
APSB22-12 |
February 13, 2022 |
1 |
Critical RME Bug Discovered in Adobe Commerce & Magento Open Source
The security issue allows to execute arbitrary code on the Magento server – no admin access needed. It was assigned the highest priority by Adobe.
CVSS declared the vulnerability to be critical and rated it 9.8/10, which needs to be fixed immediately.
The only solution to remediate the issue as per Adobe is to install the latest security patch on the affected versions, which are Adobe Commerce 2.3.3-p1 to 2.3.7-p2 and Magento Opensource 2.4.0 to 2.4.3-p1. As per the official Adobe Security Bulletin, the Adobe Commerce 2.3.3 and lower are not affected by the newly discovered security flaw.
It has released the following security patches to fix the CVE-2022-24086 RCE bug in the affected versions:
Solution
To resolve the vulnerability, apply one of the following attached patches:
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce | MDVA-43395_EE_2.4.3-p1_v1 | All | 1 | Release Notes |
| Magento Open Source | MDVA-43395_EE_2.4.3-p1_v1 | All | 1 |
Vulnerability Details
The patches were tested to resolve the issue for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.
The RCE vulnerability is highly critical and serious enough to force Adobe to warrant an immediate security patch. Thus, TheCoachSMB recommends patching the Magento stores with the latest Adobe security patch to build a solid security shield against the known security loophole.
You can use TheCoachSMB Magento Patch Installation Service to get the latest security patch installed on your Magento platform and safeguard your store against any such security vulnerabilities.