On Sunday, Feb 13, Adobe published a Security Bulletin. The company has rolled out patches for a new Critical 0-day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products. The vulnerability tracked as CVE-2022-24086 is characterized as improper input validation. Attackers could abuse this to achieve arbitrary code execution on the vulnerable versions of the products since this is a pre-authenticated flaw with the CVSS score of 9.8 out of 10. It is critical and being exploited in the wild. It would be best if you fixed it. In this post, let’s see How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products.
What Is Improper Input Validation?
First, see what Input Validation is. Input validation is a common technique used to check potentially dangerous inputs to ensure that the inputs are safe for processing within the code or when communicating with other software components. When software fails to validate input properly, attackers are able to craft the malicious input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, resulting in altered control flow, arbitrary control of a resource, or arbitrary code execution.
Summary Of CVE-2022-24086- A Arbitrary Code Execution Vulnerability In Magento And Commerce:
This is a pre-authenticated flaw characterized as improper input validation. Attackers could abuse this to achieve arbitrary code execution on the vulnerable versions of the Adobe products.
|Associated CVE ID||CVE-2022-0513|
|Description||Improper input validation in Magento and Commerce open source adobe products.|
|Associated ZDI ID||–|
|CVSS Score||9.8 Critical|
|Attack Vector (AV)||Network|
|Attack Complexity (AC)||Low|
|Privilege Required (PR)||None|
|User Interaction (UI)||None|
Adobe Products Affected By The CVE-2022-24086 Vulnerability:
The vulnerability affects Magento and Commerce open-source Adobe products 2.4.3-p1 and earlier versions and 2.3.7-p2 and earlier versions.
Note: Adobe confirmed that Commerce 2.3.3 and lower are not affected.
|Adobe Commerce||2.4.3-p1 and earlier versions||All|
|2.3.7-p2 and earlier versions||All|
|Magento Open Source||2.4.3-p1 and earlier versions||All|
|2.3.7-p2 and earlier versions||All|
How To Fix CVE-2022-24086- Arbitrary Code Execution Vulnerability In Magento And Commerce?
Adobe has responded to the vulnerability by rolling out patches to fix it. Adobe recommends users update their installation to the latest version. Here you can see the patched version details in the table.
|Product||Updated Version||Platform||Priority Rating||Installation Instructions|
|Adobe Commerce||MDVA-43395_EE_2.4.3-p1_v1||All||1||Release Notes|
How to Fix CVE-2022-24086- Arbitrary Code Execution Vulnerability in Magento and Commerce?
- Download the Patches
Download one of the following patches:
- Apply a composer patch for Adobe Commerce on cloud infrastructure
Copy the %patch_name%.composer.patch file(s) to the m2-hotfixes directory. Create the directory in the project root if you don’t have.
Add, commit, and push your code changes:
# git add -A
# git commit -m “Apply %patch_name%.composer.patch patch”
# git push origin
Click here for more information.
- Apply a composer patch for Adobe Commerce on-premises and Magento Open Source
Upload the downloaded patch files to your Adobe Commerce on-premises or Magento Open Source root directory. Run the following command
# patch -p1 < %patch_name%.composer.patch
# patch -p2 < %patch_name%.composer.patch
- Refresh the cache
Refresh the cache to apply the changes:
Admin under System > Cache Management.
We hope this post would help you know How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.