Magento: Emergency-Update fixes vulnerability CVE-2022-24086 (Feb. 13, 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]No idea if there are readers are responsible for online stores powered by the Magento open source software or the Adobe Commerce solution. Adobe has released an unscheduled special update on February 13, 2022 to address the already exploited CVE-2022-24086 vulnerability in its products. This vulnerability has already been used to hack numerous online stores using Magento or Adobe Commerce open source software in late January 2022. The attackers used the vulnerability to inject malware into the store systems.


Advertising

Magento Vulnerability CVE-2022-24086

The following tweets point out the vulnerability and its consequences for Magento online store operators. More details can be found in this Sansec article. Adobe has known about the vulnerability since January 27, 2022, but did not release the patch until Sunday, February 13, 2022 (the release date is unusual).

Magento vulnerability CVE-2022-24086 used for hacks

According to Sansec, this vulnerability has a similar severity to the Magento Shoplift vulnerability from 2015, when almost all unpatched Magento stores worldwide were compromised in the days following the exploit's release. Store operators should therefore immediately pursue measures to eliminate the vulnerability.

Adobe provides updates

As of Feb. 13, 2022, Adobe has released a patch for the Magento open source system and its commercial product, Adobe Commerce, to address the vulnerability. In APSB22-12, Adobe writes.

Adobe has released security updates for Adobe Commerce and Magento open source. These updates address a vulnerability that is rated critical. If successfully exploited, arbitrary code can be executed.

Adobe is aware that the CVE-2022-24086 vulnerability has been exploited in very limited attacks against Adobe Commerce merchants.

Regarding the vulnerability, it is said that incorrect validation of input data is performed. This allows for unauthenticated remote code execution (RCE) .According to Adobe, the following Magento versions are affected:


Advertising

Product Version Platform
Adobe Commerce 2.4.3-p1 and earlier versions
2.3.7-p2 and earlier versions
All
Magento Open Source 2.4.3-p1 and earlier versions
2.3.7-p2 and earlier versions
All

This Sansec report states that Magento 2.3.3 or lower is not directly vulnerable. Nevertheless, Sansec recommends implementing the specified patch manually. The updates are provided via the following links (see also the readme for APSB22-12).

Unzip the ZIP archives and then install them according to these Adobe instructions. (via, via, via)


Cookies helps to fund this blog: Cookie settings
Advertising


This entry was posted in Security, Software, Update and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.