[German]No idea if there are readers are responsible for online stores powered by the Magento open source software or the Adobe Commerce solution. Adobe has released an unscheduled special update on February 13, 2022 to address the already exploited CVE-2022-24086 vulnerability in its products. This vulnerability has already been used to hack numerous online stores using Magento or Adobe Commerce open source software in late January 2022. The attackers used the vulnerability to inject malware into the store systems.
Advertising
Magento Vulnerability CVE-2022-24086
The following tweets point out the vulnerability and its consequences for Magento online store operators. More details can be found in this Sansec article. Adobe has known about the vulnerability since January 27, 2022, but did not release the patch until Sunday, February 13, 2022 (the release date is unusual).
According to Sansec, this vulnerability has a similar severity to the Magento Shoplift vulnerability from 2015, when almost all unpatched Magento stores worldwide were compromised in the days following the exploit's release. Store operators should therefore immediately pursue measures to eliminate the vulnerability.
Adobe provides updates
As of Feb. 13, 2022, Adobe has released a patch for the Magento open source system and its commercial product, Adobe Commerce, to address the vulnerability. In APSB22-12, Adobe writes.
Adobe has released security updates for Adobe Commerce and Magento open source. These updates address a vulnerability that is rated critical. If successfully exploited, arbitrary code can be executed.
Adobe is aware that the CVE-2022-24086 vulnerability has been exploited in very limited attacks against Adobe Commerce merchants.
Regarding the vulnerability, it is said that incorrect validation of input data is performed. This allows for unauthenticated remote code execution (RCE) .According to Adobe, the following Magento versions are affected:
Advertising
Product | Version | Platform |
Adobe Commerce | 2.4.3-p1 and earlier versions 2.3.7-p2 and earlier versions |
All |
Magento Open Source | 2.4.3-p1 and earlier versions 2.3.7-p2 and earlier versions |
All |
This Sansec report states that Magento 2.3.3 or lower is not directly vulnerable. Nevertheless, Sansec recommends implementing the specified patch manually. The updates are provided via the following links (see also the readme for APSB22-12).
Unzip the ZIP archives and then install them according to these Adobe instructions. (via, via, via)
Advertising