UPDATE: We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087). The security update for customers is available here.
Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.
Adobe is aware that CVE-2022-24086 has been used in very limited attacks targeting Adobe Commerce merchants. Adobe is not aware of any exploits in the wild for the issue addressed in this update (CVE-2022-24087).
This article provides additional solution details for remediating the issue.
Affected products and versions
- Adobe Commerce and Magento Open Source 2.3.3-p1 - 2.3.7-p2 and 2.4.0 - 2.4.3-p1
To resolve the vulnerability, you must apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it.
Use the following attached patches, depending on your Adobe Commerce version:
- MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip
- MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_v1.patch.zip
- MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip
- MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_v1.patch.zip
- MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip
- MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.3.4_v1.patch.zip
How to apply a composer patch
Unzip the file and follow instructions in How to apply a composer patch provided by Adobe.
How to tell whether the patches have been applied
Considering that it is not possible to easily check if the issue was patched, you might want to check whether the MDVA-43395 and MDVA-43443 patches have been successfully applied.
You can do this by taking the following steps:
- Install the Quality Patches Tool.
- Run the following command:
vendor/bin/magento-patches -n status |grep "43395|43443|Status"
- You should see this output - MDVA-43395 returns the N/A status and MDVA-43443 returns the Applied status:
║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch │ Other │ Local │ Applied │ Patch type: Custom ║ ║ MDVA-43395 │ Parser token fix │ Other │ Adobe Commerce Support │ N/A │ Patch type: Required ║ ║ N/A │ ../m2-hotfixes/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch │ Other │ Local │ N/A │ Patch type: Custom ║
Security updates available for Adobe Commerce: