Adobe warns of second critical security hole in Adobe Commerce, Magento
As sanctioned Russian infosec firm says it has working exploit code
Adobe has put out a warning about another critical security bug affecting its Magento/Adobe Commerce product – and IT pros need to install a second patch after an initial update earlier this week failed to fully plug the first one.
You need to apply both patches, in order.
The new vuln has also been assigned a severity rating of the 9.8 on the CVSS scale – the same as its predecessor, for which Adobe issued an out-of-bounds patch earlier in the week. It's tracked as CVE-2022-24087 and – like the earlier vuln, CVE-2022-24086 – impacts both Magento Open Source and Adobe Commerce.
Both are pre-authentication remote code execution (RCE) vulns arising from improper input validation – neither require authentication or admin privileges to exploit.
In the updated advisory, Adobe also widened the list of affected versions for CVE-2022-24086, which is being used in "limited attacks targeting Adobe Commerce merchants," according to the company.
The second CVSS 9.8-rated vulnerability, described in similar terms, may not yet have been exploited in the wild, according to Adobe, but successful exploitation "could lead to arbitrary code execution."
In the update, Adobe warned that: "To resolve the vulnerability, you must apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it."
Precise details of exploits for both were not available at the time of writing.
- Emergency updates: Adobe, Chrome patch security bugs under active attack
- Ecommerce platforms (cough, Magento) need patching before Black Friday, warns UK's National Cyber Security Centre
- Microsoft Patch Tuesday bug drought: No, it's not climate change or unexpected code quality improvements
- PPE, Part II: UK health department takes second stab at e-commerce system for personal protective equipment
Infosec firm Sansec said in a blog post updated last night that online shop owners running Magento version 2.3.3 and above need to apply both patches, saying: "These vulnerabilities have a similar severity as the Magento Shoplift vulnerability from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication."
Russian infosec company Positive Technologies, sanctioned last year by the US government for allegedly recruiting on behalf of Russian state hacking agencies, claimed it had a working exploit for '86.
🔥 We have reproduced the fresh CVE-2022-24086 Improper Input Validation vulnerability in Magento Open Source and Adobe Commerce.— PT SWARM (@ptswarm) February 17, 2022
Successful exploitation could lead to RCE from an unauthenticated user. pic.twitter.com/QFXd7M9VVO
Magento is a very widely used open-source ecommerce platform that was bought out by Adobe in 2018. Thanks to its wide adoption, it is a regular target of malicious people seeking to compromise the software to steal payment card details and personal data from online shoppers. ®