Critical RCE Vulnerability in Adobe Commerce: Fix Security Patches MDVA-43395 & MDVA-43443

Is your store secure?

Well, store owners of Adobe Commerce and Magento Open Source need not worry anymore about the security of the store.

Adobe Security Bulletin published a security patch called APSB22-13 for Adobe Commerce on 12th April, 2022.

Adobe Security Bulletin published a security patch called APSB22-12 for Adobe Commerce on 13th February, 2022.

These security patches are available for all the latest versions of Adobe Commerce and Magento Open Source. Let’s find out more about the security update for Adobe Commerce and why it is crucial to apply it.

Contents

1 What is APSB22-12 Security Update for?
2 Versions that need Security Patch
3 Solution to resolve RCE vulnerability
4 Apply Composer Patch provided by Adobe
5 Final Words:

What is APSB22-12 Security Update for?

Security update released by Adobe is available for Adobe Commerce and Magento Open Source. The security patch update settles vulnerabilities that are rated critical. Successful exploitation could lead to arbitrary code execution.

Adobe mentions, “Adobe is aware that CVE-2022-24086 has been used in very limited attacks targeting Adobe Commerce merchants. Adobe is not aware of any exploits in the wild for the issue addressed in this update (CVE-2022-24087).”

APSB22-12: Security update available for Adobe Commerce

APSB22-13: Security update available for Adobe Commerce

Versions that need Security Patch

The affected versions of Adobe Commerce are:

Adobe Commerce 2.4.3-p1 and previous versions
Adobe Commerce 2.3.7-p2 and previous versions

Note: Adobe Commerce versions 2.3.0 to 2.3.3 are unaffected.

The affected versions of Magento Open Source are:

Magento Open Source 2.4.3-p1 and previous versions
Magento Open Source 2.3.7-p2 and previous versions

Note: Magento Open Source versions 2.3.0 to 2.3.3 are unaffected.

Solution to resolve RCE vulnerability

In order to solve the vulnerability issue, you need to implement two patches

First, apply MDVA-43395
Then, MDVA-43443 on top of it

Based on your current Adobe Commerce or Magento Open Source version, apply patches from the following updates:

Product	Upgraded Version
Adobe Commerce and Magento Open Source 2.4.3 – 2.4.3-p1	MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_v1.patch.zip
Adobe Commerce and Magento Open Source 2.3.4-p2 – 2.4.2-p2	MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_v1.patch.zip
Adobe Commerce and Magento Open Source 2.3.3-p1 – 2.3.4	MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.3.4_v1.patch.zip

Apply Composer Patch provided by Adobe

Firstly, unzip the patch file and follow the step-by-step instructions provided by Adobe to apply the composer patch for Adobe Commerce on-premises, Adobe Commerce on cloud infrastructure, and Magento Open Source.

Find Instructions to Apply Composer Patch – Click Here

Final Words:

Security of your Magento 2 store is important and thus it is commendable to upgrade your store with the latest security patch. Avail Magento Security Patches Installation Service to prevent your store from vulnerabilities and threat attacks.

Click to rate this post!

[Total: 5 Average: 5]

Gaurav Jain

Gaurav Jain is Co-Founder and Adobe Certified Expert-Magento Commerce Business Practitioner. Being Computer Engineer👨‍💻 and possessing Extensive Marketing skills he handles all kinds of customer Queries and his Happy😀 & Helping🙏 Nature makes customer's day Delightful. When he isn’t working, you’ll find Gaurav Reading on Books📖 or Traveling🚗. Also, he is Speaker at Magento Meetups.