Adobe warns of second critical security hole in Adobe Commerce, Magento

As sanctioned Russian infosec firm says it has working exploit code


Adobe has put out a warning about another critical security bug affecting its Magento/Adobe Commerce product – and IT pros need to install a second patch after an initial update earlier this week failed to fully plug the first one.

You need to apply both patches, in order.

The new vuln has also been assigned a severity rating of the 9.8 on the CVSS scale – the same as its predecessor, for which Adobe issued an out-of-bounds patch earlier in the week. It's tracked as ​​CVE-2022-24087 and – like the earlier vuln, CVE-2022-24086 – impacts both Magento Open Source and Adobe Commerce.

Both are pre-authentication remote code execution (RCE) vulns arising from improper input validation – neither require authentication or admin privileges to exploit.

In the updated advisory, Adobe also widened the list of affected versions for CVE-2022-24086, which is being used in "limited attacks targeting Adobe Commerce merchants," according to the company.

The second CVSS 9.8-rated vulnerability, described in similar terms, may not yet have been exploited in the wild, according to Adobe, but successful exploitation "could lead to arbitrary code execution."

In the update, Adobe warned that: "To resolve the vulnerability, you must apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it."

Precise details of exploits for both were not available at the time of writing.

Infosec firm Sansec said in a blog post updated last night that online shop owners running Magento version 2.3.3 and above need to apply both patches, saying: "These vulnerabilities have a similar severity as the Magento Shoplift vulnerability from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication."

Russian infosec company Positive Technologies, sanctioned last year by the US government for allegedly recruiting on behalf of Russian state hacking agencies, claimed it had a working exploit for '86.

Magento is a very widely used open-source ecommerce platform that was bought out by Adobe in 2018. Thanks to its wide adoption, it is a regular target of malicious people seeking to compromise the software to steal payment card details and personal data from online shoppers. ®


Other stories you might like

  • Microsoft fixes under-attack Windows zero-day Follina
    Plus: Intel, AMD react to Hertzbleed data-leaking holes in CPUs

    Patch Tuesday Microsoft claims to have finally fixed the Follina zero-day flaw in Windows as part of its June Patch Tuesday batch, which included security updates to address 55 vulnerabilities.

    Follina, eventually acknowledged by Redmond in a security advisory last month, is the most significant of the bunch as it has already been exploited in the wild.

    Criminals and snoops can abuse the remote code execution (RCE) bug, tracked as CVE-2022-30190, by crafting a file, such as a Word document, so that when opened it calls out to the Microsoft Windows Support Diagnostic Tool, which is then exploited to run malicious code, such spyware and ransomware. Disabling macros in, say, Word won't stop this from happening.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading

Biting the hand that feeds IT © 1998–2022