Security update available for Adobe Commerce - APSB24-40 Revised to include isolated patch for CVE-2024-34102
On June 11, 2024, Adobe released a security update for Adobe Commerce, Magento Open Source, and Adobe Commerce Webhooks Plugin. This update resolves critical and important vulnerabilities. Successful exploitation could lead to arbitrary code execution, security feature bypass and privilege escalation.
On June 27, 2024, Adobe released an isolated patch for CVE-2024-34102.
Additional information about CVE-2024-34102 can be found in the Adobe Security Bulletin (APSB24-40).
The fix for CVE-2024-34102 is also included as part of the security patches released on released on June 11, 2024, in Adobe Commerce and Magento Open Source versions 2.4.7-p1, 2.4.6-p6, 2.4.5-p8, and 2.4.4-p9, and in Adobe Commerce Webhooks Plugin version 1.5.0.
Due to the criticality of CVE-2024-34102, Adobe released an isolated patch to help you remediate this vulnerability and give you more time to apply the full security patch.
Please apply the latest security patch and/or isolated patch below as soon as possible.
If you fail to do so, you will continue to be vulnerable to these types of attacks, and Adobe will have limited means to help remediate until you apply the latest security patch and/or isolated patch.
In this article you will find how to implement the isolated patch for this issue for the current and earlier versions of Adobe Commerce and Magento Open Source.
Affected products and versions
Adobe Commerce on Cloud, Adobe Commerce on-premise, and Magento Open Source:
- 2.4.7 and earlier
- 2.4.6-p5 and earlier
- 2.4.5-p7 and earlier
- 2.4.4-p8 and earlier
Solution for Adobe Commerce on Cloud, Adobe Commerce on-premise Software, and Magento Open Source
To help resolve the vulnerability for the affected products and versions, you must apply the VULN-27015 patch (dependent on your version).
Isolated Patch Details
Use the following attached patches, depending on your Adobe Commerce/Magento Open Source version:
For version 2.4.7:
For versions 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5:
For versions 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7:
For versions 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8:
How to apply the isolated patch
Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.
For Adobe Commerce on Cloud merchants only - How to tell whether the isolated patches have been applied
Considering that it isn’t possible to easily check if the issue was patched, you might want to check whether the VULN-27015 isolated patch has been successfully applied.
You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:
-
Run the command:
-
You should see output similar to this, where VULN-27015 returns the Applied status:
code language-bash ║ Id │ Title │ Category │ Origin │ Status │ Details ║ ║ N/A │ ../m2-hotfixes/VULN-27015-2.4.7_COMPOSER_patch.patch │ Other │ Local │ Applied │ Patch type: Custom
Security updates
Security updates available for Adobe Commerce: