UPDATE: We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087). The security update for customers is available here.
Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.
Adobe is aware that CVE-2022-24086 has been used in very limited attacks targeting Adobe Commerce merchants. Adobe is not aware of any exploits in the wild for the issue addressed in this update (CVE-2022-24087).
This article provides additional solution details for remediating the issue.
The issue was resolved in Cloud Patches package v1.0.16. We recommend upgrading to the latest Cloud Patches package to fix this issue. The latest Cloud Patches package will include all upgrades from earlier packages.
Before upgrading to the latest Cloud Patches package, you need to uninstall the custom patches related to APSB22-12. Specifically, the MDVA-43395 and MDVA-43443 patches. To do this, follow the below steps.
composer update magento/magento-cloud-patches.
To resolve the vulnerability if you are on Adobe Commerce on-premises or Magento Open Source, you must apply two patches: MDVA-43395 patch first and then MDVA-43443 on top of it.
Use the following attached patches, depending on your Adobe Commerce version:
Adobe Commerce 2.4.3 - 2.4.3-p1:
Adobe Commerce 2.3.4-p2 - 2.4.2-p2:
Adobe Commerce 2.3.3-p1 - 2.3.4:
Unzip the file and follow the instructions on How to apply a composer patch provided by Adobe.
Considering that it is not possible to easily check if the issue was patched, you might want to check whether the MDVA-43395 and MDVA-43443 patches have been successfully applied.
You can do this by taking the following steps:
vendor/bin/magento-patches -n status |grep "43395|43443|Status"
║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch │ Other │ Local │ Applied │ Patch type: Custom ║ ║ MDVA-43395 │ Parser token fix │ Other │ Adobe Commerce Support │ N/A │ Patch type: Required ║ ║ N/A │ ../m2-hotfixes/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch │ Other │ Local │ N/A │ Patch type: Custom ║
Security updates available for Adobe Commerce: