Security updates available for Adobe Commerce (APSB24-90)

On November 12, 2024, Adobe released a security update for Adobe Commerce (on Cloud and On-premises) and Magento Open Source features powered by Commerce Services and deployed as SaaS (Software as a Service). This update resolves a critical vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates. More information can be found in the APSB24-90 security bulletin. Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and Adobe will have limited means to help remediate.

Description description

Environments

  • Adobe Commerce Service Connector, version 3.2.5 or earlier
  • Adobe Commerce on Cloud, all versions with the magento/services-id extension installed - powered by Commerce Services and deployed as SaaS (Software as a Service)
  • Adobe Commerce On-premises, all versions with the magento/services-id extension installed - powered by Commerce Services and deployed as SaaS (Software as a Service)
  • Magento Open Source, all versions with the magento/services-id extension installed - powered by Commerce Services and deployed as SaaS (Software as a Service)

Issue

On November 12, 2024, Adobe released a security update for Adobe Commerce (on Cloud and On-premises) and Magento Open Source features powered by Commerce Services and deployed as SaaS (Software as a Service). This update resolves a critical vulnerability. Successful exploitation could lead to arbitrary code execution. Adobe is not aware of any exploits in the wild for any of the issues addressed in these updates.

More information can be found in the APSB24-90 security bulletin.

Please apply the latest security updates as soon as possible. If you fail to do so, you will be vulnerable to these security issues, and Adobe will have limited means to help remediate.

Resolution resolution

To resolve the vulnerability, upgrade the magento/services-id extension to version 3.2.6.

Steps to proceed with the upgrade:

composer update magento/services-id magento/module-services-id magento/module-services-id-graph-ql-server
bin/magento setup:upgrade --keep-generated
bin/magento setup:static-content:deploy
bin/magento cache:clean

NOTE: For Adobe Commerce Cloud users, you can’t run this command directly in the cloud environment - you must follow the Cloud deployment workflow.

How to check the extension version:

Use the following command how to check the extension version to make sure you’ve upgraded the version to version 3.2.6:

composer show magento/services-id
recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f