Security updates available for Adobe Commerce APSB22-12

NOTE

UPDATE: We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087). The security update for customers is available here.

Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.

Adobe is aware that CVE-2022-24086 has been used in very limited attacks targeting Adobe Commerce merchants. Adobe is not aware of any exploits in the wild for the issue addressed in this update (CVE-2022-24087).

This article provides additional solution details for remediating the issue.

Affected products and versions

Adobe Commerce and Magento Open Source 2.3.3-p1 - 2.3.7-p2 and 2.4.0 - 2.4.3-p1

Solution for Adobe Commerce on cloud infrastructure

The issue was resolved in Cloud Patches package v1.0.16. We recommend upgrading to the latest Cloud Patches package to fix this issue. The latest Cloud Patches package will include all upgrades from earlier packages.

Before upgrading to the latest Cloud Patches package, you need to uninstall the custom patches related to APSB22-12. Specifically, the MDVA-43395 and MDVA-43443 patches. To do this, follow the below steps.

Check whether the patches MDVA-43395 and MDVA-43443 are installed. Follow these steps to know if the patches are applied.
If the patches are installed, follow these steps to uninstall them.
To upgrade to the latest Cloud Patches package, run the following command: composer update magento/magento-cloud-patches.
Commit and push composer.lock and composer.json files.
Redeploy.

Solution for Adobe Commerce on-premises and Magento Open Source

To resolve the vulnerability if you are on Adobe Commerce on-premises or Magento Open Source, you must apply two patches: MDVA-43395 patch first and then MDVA-43443 on top of it.

Use the following attached patches, depending on your Adobe Commerce version:

Adobe Commerce 2.4.3 - 2.4.3-p1:

Adobe Commerce 2.3.4-p2 - 2.4.2-p2:

Adobe Commerce 2.3.3-p1 - 2.3.4:

How to apply a composer patch

Unzip the file and follow the instructions on How to apply a composer patch provided by Adobe.

How to tell whether the patches have been applied

Considering that it is not possible to easily check if the issue was patched, you might want to check whether the MDVA-43395 and MDVA-43443 patches have been successfully applied.

You can do this by taking the following steps:

Install the Quality Patches Tool.
Run the following command: vendor/bin/magento-patches -n status |grep "43395|43443|Status"
You should see this output - MDVA-43395 returns the N/A status and MDVA-43443 returns the Applied status:

║ Id            │ Title                                                        │ Category        │ Origin                 │ Status      │ Details                                          ║
║ N/A           │ ../m2-hotfixes/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch      │ Other           │ Local                  │ Applied     │ Patch type: Custom                               ║
║ MDVA-43395    │ Parser token fix                                             │ Other           │ Adobe Commerce Support │ N/A         │ Patch type: Required                             ║
║ N/A           │ ../m2-hotfixes/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch      │ Other           │ Local                  │ N/A         │ Patch type: Custom                               ║

Security updates

Security updates available for Adobe Commerce:

Adobe Security Bulletin (APSB22-12)