On February 17th, 2022, Adobe released a notice stating that “We have discovered additional security protections necessary for CVE-2022-24086 and have released an update to address them (CVE-2022-24087).” Even if you have already patched for CVE-2022-24086 with patch MDVA-43395_EE_2.4.3-p1_v1, you will need to go back and apply patch MDVA-43443_EE_2.4.3-p1 to resolve vulnerability CVE-2022-24087 ASAP. You can access more information at https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12-
On February 18th, 2022, we came across reports of Patch MDVA-43443_EE_2.4.3-p1 breaking the “Template Styles” configuration because all curly braces are removed to sanitize input.
Yesterdays emergency Magento patch breaks CSS in email templates. Still, we strongly recommend to install it, as the risk of getting hacked without it is tangible. Adobe will likely release a third patch to fix the styling issue soon. https://t.co/B1GplqQrEq
— Sansec (@sansecio) February 18, 2022
Original Post from February 14th, 2020:
While many security patches are released for Magento 2, most of them are for vulnerabilities that would be difficult for hackers to take advantage of. For instance, they may require a user to first gain access to your Magento admin in order to exploit them. When it comes to CVE-2022-24086, a critical security vulnerability that Adobe released a patch for on Sunday, February 13th, 2022, that’s not the case.
CVE-2022-24086 allows unauthenticated remote code execution (RCE), which is already being abused in the wild. In other words, hackers are scanning the web for vulnerable Magento sites, and they won’t have much trouble penetrating the defenses of a site that hasn’t installed this new patch. This particular exploit will give these criminals control of your Magento website.
This type of severe security hole is a rare find. Our friends at Sansec compared the severity of this arbitrary code execution issue to the Magento Shoplift vulnerability from 2015, which saw thousands of sites hacked within days. With that in mind, this is the kind of security issue that we hope to only see once a decade, but, it’s here. That means it’s time to patch your site ASAP. This is not the type of patch that you can wait on. It is extremely important to apply it as close to immediately as possible.
Speaking of Sansec, they have an excellent write-up on this security issue and how to patch it here.
Other helpful resources:
- Directly access the MDVA-43395_EE_2.4.3-p1_v1 Magento 2 patches from Adobe: https://support.magento.com/hc/en-us/articles/4426353041293-Security-updates-available-for-Adobe-Commerce-APSB22-12-
- Adobe Security Bulletin on Adobe Commerce APSB22-12 / CVE-2022-24086: https://helpx.adobe.com/security/products/magento/apsb22-12.html
- Need Magento developers to help get this patch integrated for you? We’d be glad to make tailored recommendations for your specific needs and goals. Ask your JetRails account manager about our Magento Agency Matchmaker program, or visit: https://jetrails.com/magento-agencies/
Unfortunately, due to the dynamic nature of this vulnerability, it’s not something that can be comprehensively stopped with a Web Application Firewall (WAF) or other external tools. You should proceed to patch your website immediately.
This comes on the heels of an attack dubbed NaturalFreshMall, which impacted hundreds of Magento 1 websites with a payment skimmer that was loaded from “naturalfreshmall.com”, hence the name.
More than 350 ecommerce stores infected with malware in a single day.
Today our global crawler discovered 374 ecommerce stores infected with the same strain of malware. 370 of these stores load the malware via https://naturalfreshmall[.]com/image/pixel[.]js.
— Sansec (@sansecio) January 25, 2022
It also hits at a time when many in the Magento community are still patching servers for Log4j issues, although users of Managed Services like JetRails have been patched for Log4j vulnerabilities for a long time now. If you’re not already leveraging a fully-managed Magento hosting service like JetRails, which includes managed firewalling and security hardening, intrusion detection, malware scanning, and upkeep of your server software, you should be. Keeping up with these sorts of security challenges is a full-time job. It’s why your Magento website deserves a team like JetRails that provides round-the-clock monitoring, maintenance, and management of your Magento hosting environment.