Adobe has released urgent security updates for Adobe Commerce and Magento Open Source on Sunday, February 13th. CVE-2022-24086 is a critical vulnerability that experts compare to the Magento Shoplift vulnerability from 2015. That one led to thousands of websites being hacked in just a few days because it offers unauthenticated remote code execution, meaning hackers can easily penetrate and take control of your site if you’re running on affected versions.
Affected products and versions
Product | Version |
Adobe Commerce | 2.4.3-p1 and earlier versions |
2.3.7-p2 and earlier versions | |
Magento Open Source | 2.4.3-p1 and earlier versions |
2.3.7-p2 and earlier versions |
Solution
To resolve the vulnerability, apply one of the following attached patches:
The patches were tested to resolve the issue for all versions from 2.3.3-p1 to 2.3.7-p2 and 2.4.0 to 2.4.3-p1.
How to apply a composer patch provided by Adobe
Here are the steps to apply a composer patch for Adobe Commerce on-premises, Adobe Commerce on cloud infrastructure, and Magento Open Source.
How to apply a composer patch for Adobe Commerce on cloud infrastructure
- If you do not have a directory named m2-hotfixes in the project root, please create one.
- Copy the %patch_name%.composer.patch file(s) to the m2-hotfixes directory.
- Add, commit, and push your code changes:
git add –A
git commit -m "Apply %patch_name%.composer.patch patch"
git push origin
For additional information about applying patches to Cloud projects, see Apply patches in Magento developer documentation.
How to apply a composer patch for Adobe Commerce on-premises and Magento Open Source
- Upload the patch to your Adobe Commerce on-premises or Magento Open Source root directory.
- Run the following SSH command:
patch -p1 < %patch_name%.composer.patch
(If the above command does not work, try using -p2 instead of -p1) - For the changes to be reflected, refresh the cache in the Admin under System > Cache Management.
If you are not confident about installing such a critical patch yourself or your development team is not available to do it for you, we offer help!