Adobe has released urgent security updates for Adobe Commerce and Magento Open Source on Sunday, February 13th. CVE-2022-24086 is a critical vulnerability that experts compare to the Magento Shoplift vulnerability from 2015. That one led to thousands of websites being hacked in just a few days because it offers unauthenticated remote code execution, meaning hackers can easily penetrate and take control of your site if you’re running on affected versions.
Affected products and versions
| Product | Version |
| Adobe Commerce | 2.4.3-p1 and earlier versions |
| 2.3.7-p2 and earlier versions | |
| Magento Open Source | 2.4.3-p1 and earlier versions |
| 2.3.7-p2 and earlier versions |
Solution
To resolve the vulnerability, apply one of the following attached patches:
The patches were tested to resolve the issue for all versions from 2.3.3-p1 to 2.3.7-p2 and 2.4.0 to 2.4.3-p1.
How to apply a composer patch provided by Adobe
Here are the steps to apply a composer patch for Adobe Commerce on-premises, Adobe Commerce on cloud infrastructure, and Magento Open Source.
How to apply a composer patch for Adobe Commerce on cloud infrastructure
- If you do not have a directory named m2-hotfixes in the project root, please create one.
- Copy the %patch_name%.composer.patch file(s) to the m2-hotfixes directory.
- Add, commit, and push your code changes:
git add –A
git commit -m "Apply %patch_name%.composer.patch patch"
git push origin
For additional information about applying patches to Cloud projects, see Apply patches in Magento developer documentation.
How to apply a composer patch for Adobe Commerce on-premises and Magento Open Source
- Upload the patch to your Adobe Commerce on-premises or Magento Open Source root directory.
- Run the following SSH command:
patch -p1 < %patch_name%.composer.patch
(If the above command does not work, try using -p2 instead of -p1) - For the changes to be reflected, refresh the cache in the Admin under System > Cache Management.
If you are not confident about installing such a critical patch yourself or your development team is not available to do it for you, we offer help!