Security update available for Adobe Commerce - APSB24-61

On August 13, 2024, Adobe released a regularly scheduled security update for Adobe Commerce, Magento Open Source, and Adobe Commerce Webhooks Plugin. This update resolves critical, important, and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, arbitrary file system read, security feature bypass, and privilege escalation. The bulletin is Adobe Security Bulletin (APSB24-61).

Note:  CVE-2024-39397, listed in the security bulletin above, is applicable only when using the Apache web server. To make it easier to apply the fix quickly, Adobe has also released an isolated patch that resolves CVE-2024-39397.

Please apply the latest security updates as soon as possible. If you fail to do so, you become vulnerable to these security issues, and Adobe has limited means to help remediate.

Note:  Please contact Support Services if you encounter any issues applying the security patch/Isolated patch.

Description description

Affected products and versions

Adobe Commerce on Cloud, Adobe Commerce on-premises, and Magento Open Source:

Resolution resolution

Solution for Adobe Commerce on Cloud, Adobe Commerce on-premises Software, and Magento Open Source

To help resolve the vulnerability for the affected products and versions, you must apply the CVE-2024-39397 Isolated patch.

Isolated Patch Details

Use the following attached Isolated patch:

How to apply the Isolated patch

Unzip the file and see How to apply a composer patch provided by Adobe in our support knowledge base for instructions.

For Adobe Commerce on Cloud merchants only - How to tell whether the Isolated patches have been applied

Considering that it’s not easy to check if the issue was patched, you might want to verify whether the CVE-2024-39397 isolated patch was successfully applied.

You can do this by taking the following steps, using the file VULN-27015-2.4.7_COMPOSER.patch as an example:

Security updates

Security updates available for Adobe Commerce: