On October 11th, 2022, Adobe published a security bulletin labeled APSB22-48 which described a critical Magento vulnerability which is referenced as CVE-2022-35689. This covers Magento Bug IDs PRODSECBUG-3177 and PRODSECBUG-318.
Why do you need to patch for CVE2022-35689 ASAP?
While some vulnerabilities are hard for hackers to exploit, these particular ones are considered comparatively easy for hackers to take advantage of. Most notably, PRODSECBUG-3177, a Cross-site Scripting (Stored XSS) vulnerability, does not require an attacker to be authenticated or have admin privileges.
It’s always important to install security patches in a timely fashion, including in order to meet PCI and other compliance requirements. However, given the nature of this vulnerability, it’s important that Magento and Adobe Commerce website owners patch their sites immediately.
Magento 2.4.5-p1 and 2.4.4-p2
For those that are already upgraded to Magento 2.4.5, Adobe has released patch 2.4.5-p1. This patch was written to address both of the newly disclosed security vulnerabilities.
For those on Magento 2.4.4, Adobe released the 2.4.4-p2 patch which similarly addresses these vulnerabilities.
What about older versions of Magento?
For merchants that are still on older versions of Magento or Adobe Commerce, we will continue to share more information as it becomes available from our team, our partners, and the greater Magento Community. With that in mind, here’s an update from our security partners at Sansec:
Adobe provided fixes for 2.4.4 and 2.4.5. But..
2.3 and 2.4.3 are likely vuln as well. Adobe is “discussing releasing a hotfix” for older versions.
Many merchants are still on 2.4.3, because 2.4.4 requires PHP8 which is a major upgrade. https://t.co/5YvERjizOJ
— Sansec (@sansecio) October 13, 2022
Additional October 13th, 2022 Update:
In a Slack Account for Magento Community Engineering, a member of the Adobe team confirmed that they are working on a hotfix for all affected [supported] versions:
We anticipate that release will include patches for users of Magento Open Source and Adobe Commerce versions 2.4.0 through 2.4.3. Since Magento 2.3.x reached end of life on September 8th, 2022, there is no information about patches for users that are still on a version of Magento 2.3.
October 14th, 2022 Morning Update:
Adobe has not published a definitive list of impacted versions of Magento Open Source and Adobe Commerce that are susceptible to these newly disclosed vulnerabilities. They also have not committed to providing patches for unsupported versions of Magento, including Magento 2.3.x. We are, however, starting to see open-source research and patches from the Magento community:
The safest and best choice is to upgrade to a supported version of Magento asap in order to use the official patches from Adobe. The patches which are being quickly formulated by the Magento Community may or may not be equivalent at this time. However, if you cannot upgrade your website to a supported version of Magento asap, it is recommended to communicate with your web developers about whether you should test an open-source solution as a stop-gap measure.
October 14th Evening Update:
According to Nathan Smith from Adobe, they are still working on patches for older versions of Magento. These are anticipated to become available early in the week of October 17th. “We will not be able to finish the publication of the hotfixes by end of day today. We aim to have them ready and published early next week. We can say that as long as you have applied all available applicable security patches for your installed version, 2.4.3-p1/2.3.7-p2 and below are not affected. We will be releasing hotfixes for 2.4.3-p2, 2.4.3-p3, 2.4.4, 2.4.4-p1, and 2.4.5 early next week. We appreciate your patience.”
This tells us that Magento 2.3.7-p2 and below, and Magento 2.4.3-p1 and below are unaffected. Patches for the impacted versions of Magento 2.4 are being worked on, but official patches for 2.3.7-p3 and 2.3.7-p4, which are end-of-life, are not pending at this time. Merchants on these versions of Magento should still be looking at community patches as we discussed in our update from this morning (see above).
We will continue to update this article as more information becomes available.
October 18th Update:
Adobe has released its official security patches for additional supported versions of Magento and Adobe Commerce. This includes a patch for 2.4.4, 2.4.4-p1, and 2.4.5, and another patch for 2.4.3-p2 and 2.4.3-p3. To access these patches, please visit https://experienceleague.adobe.com/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/adobe-commerce-2.4.0-2.4.5-security-hotfix-for-cve-2022-35698.html?lang=en
As Magento/Adobe Commerce 2.3.7 is outside of its support window, it isn’t addressed in this update. However, Nathan Smith of Adobe did confirm that merchants on 2.3.7-p3 and 2.3.7-p4 are vulnerable.
Our previous recommendations still stand for merchants on these versions of Magento/Adobe Commerce. The safest and best choice is to upgrade to a supported version of Magento ASAP in order to use the official patches from Adobe. However, if you cannot upgrade your website to a supported version of Magento ASAP, talk to your web developers about whether you should test an open-source solution as a stop-gap measure, such as these patches: https://github.com/EmicoEcommerce/Magento-APSB22-48-Security-Patches
For existing JetRails customers, we also want you to know that we use Cloudflare’s firewall to block a variety of XSS attacks. We are continuously working with our security partners to provide you with proactive security, but as always, we urge you to patch your sites. As the old saying goes, “An ounce of prevention is worth a pound of cure.”.