Blog

Magento 2 Security Patch APSB22-12 to Fix RCE Vulnerability

If you are running your store on Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), then your store is at high risk!

On Sunday, Feb 13, 2022, Adobe released an emergency security patch for the Magento stores to fix the newly discovered RCE bug in the Adobe Commerce and Magento Open Source. “These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution,” declared Adobe.

Affected products and versions

  • Adobe Commerce and Magento Open Source 2.3.3-p1-2.3.7-p2 and 2.4.0-2.4.3-p1
Adobe Commerce 2.3.3 and lower are not affected.

A zero-day bug is being exploited in the above-mentioned versions of Magento in the wild by the attackers, which has forced Adobe to roll out emergency security patches to secure the stores.

The detected RCE bug can allow the attackers to execute arbitrary codes on the stores and harm them. Here is how you can secure your online Magento store from the Adobe RCE bug.

Security update available for Adobe Commerce | APSB22-12

Bulletin ID

Date Published

Priority

APSB22-12

February 13, 2022

1

Critical RME Bug Discovered in Adobe Commerce & Magento Open Source

The security issue allows to execute arbitrary code on the Magento server – no admin access needed. It was assigned the highest priority by Adobe.

CVSS declared the vulnerability to be critical and rated it  9.8/10, which needs to be fixed immediately.

The only solution to remediate the issue as per Adobe is to install the latest security patch on the affected versions, which are Adobe Commerce 2.3.3-p1 to 2.3.7-p2 and Magento Opensource 2.4.0 to 2.4.3-p1. As per the official Adobe Security Bulletin, the Adobe Commerce 2.3.3 and lower are not affected by the newly discovered security flaw.

It has released the following security patches to fix the CVE-2022-24086 RCE bug in the affected versions:

Solution

To resolve the vulnerability, apply one of the following attached patches:

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.
Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce MDVA-43395_EE_2.4.3-p1_v1 All 1 Release Notes
Magento Open Source MDVA-43395_EE_2.4.3-p1_v1 All 1

Vulnerability Details

The patches were tested to resolve the issue for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.

The RCE vulnerability is highly critical and serious enough to force Adobe to warrant an immediate security patch. Thus, TheCoachSMB recommends patching the Magento stores with the latest Adobe security patch to build a solid security shield against the known security loophole.

You can use TheCoachSMB Magento Patch Installation Service to get the latest security patch installed on your Magento platform and safeguard your store against any such security vulnerabilities.

Leave a Reply

Your email address will not be published. Required fields are marked *