Table of Contents
February 14, 2022
|4m
How To Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability In Magento
On Sunday, Feb 13, Adobe published a Security Bulletin. The company has rolled out patches for a new Critical 0-day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products. The vulnerability tracked as CVE-2022-24086 is characterized as improper input validation. Attackers could abuse this to achieve arbitrary code execution on the vulnerable versions of the products since this is a pre-authenticated flaw with the CVSS score of 9.8 out of 10. It is critical and being exploited in the wild. It would be best if you fixed it. In this post, let’s see How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products.
What Is Improper Input Validation?
First, see what Input Validation is. Input validation is a common technique used to check potentially dangerous inputs to ensure that the inputs are safe for processing within the code or when communicating with other software components. When software fails to validate input properly, attackers are able to craft the malicious input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, resulting in altered control flow, arbitrary control of a resource, or arbitrary code execution.
Summary Of CVE-2022-24086- A Arbitrary Code Execution Vulnerability In Magento And Commerce:
This is a pre-authenticated flaw characterized as improper input validation. Attackers could abuse this to achieve arbitrary code execution on the vulnerable versions of the Adobe products.
| Associated CVE ID | CVE-2022-0513 |
| Description | Improper input validation in Magento and Commerce open source adobe products. |
| Associated ZDI ID | – |
| CVSS Score | 9.8 Critical |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Adobe Products Affected By The CVE-2022-24086 Vulnerability:
The vulnerability affects Magento and Commerce open-source Adobe products 2.4.3-p1 and earlier versions and 2.3.7-p2 and earlier versions.
Note: Adobe confirmed that Commerce 2.3.3 and lower are not affected.
| Product | Version | Platform |
|---|---|---|
| Adobe Commerce | 2.4.3-p1 and earlier versions | All |
| 2.3.7-p2 and earlier versions | All | |
| Magento Open Source | 2.4.3-p1 and earlier versions | All |
| 2.3.7-p2 and earlier versions | All |
How To Fix CVE-2022-24086- Arbitrary Code Execution Vulnerability In Magento And Commerce?
Adobe has responded to the vulnerability by rolling out patches to fix it. Adobe recommends users update their installation to the latest version. Here you can see the patched version details in the table.
| Product | Updated Version | Platform | Priority Rating | Installation Instructions |
|---|---|---|---|---|
| Adobe Commerce | MDVA-43395_EE_2.4.3-p1_v1 | All | 1 | Release Notes |
Download the Patches
Download one of the following patches:
MDVA-43395_EE_2.4.3-p1_v1.patch.zip
MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zipApply a composer patch for Adobe Commerce on cloud infrastructure
Copy the %patch_name%.composer.patch file(s) to the m2-hotfixes directory. Create the directory in the project root if you don’t have one.
Add, commit, and push your code changes:
# git add -A
# git commit -m “Apply %patch_name%.composer.patch patch”
# git push origin
Click here for more information.Apply a composer patch for Adobe Commerce on-premises and Magento Open Source
Upload the downloaded patch files to your Adobe Commerce on-premises or Magento Open Source root directory. Run the following command
# patch -p1 < %patch_name%.composer.patch
OR
# patch -p2 < %patch_name%.composer.patchRefresh the cache
Refresh the cache to apply the changes:
Admin under System > Cache Management.
We hope this post helps you know How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
Arun KL
Arun KL is a cybersecurity professional with 15+ years of experience in IT infrastructure, cloud security, vulnerability management, Penetration Testing, security operations, and incident response. He is adept at designing and implementing robust security solutions to safeguard systems and data. Arun holds multiple industry certifications including CCNA, CCNA Security, RHCE, CEH, and AWS Security.
- April 18, 2024
Learn Something New with Free Email subscription
Learn Something New with Free Email subscription
Subscribe
Subscribe
Subscribe
Subscribe
- April 18, 2024
