Magento Hosting Emergency? Learn About Our Magento Hosting Rescue Service! ❯

    We can help you. Right now.
    Fast growing merchants depend on JetRails for high-stakes hosting. Experience counts. Let's get started.
    Your message has been received, a representative will be contacting you shortly. if you have an emergency, please call us at 1 (888) 997-2457 or email us at [email protected]









    Call us at:1 (888) 997-2457

    Magento Critical Security Patches 2.4.5-p1 and 2.4.4-p2

    On Oct 11th, 2022 Adobe addressed vulnerabilities referenced as CVE-2022-35689 by releasing Magento and Adobe Commerce 2.4.5-p1 and 2.4.4-p2.

    On October 11th, 2022, Adobe published a security bulletin labeled APSB22-48 which described a critical Magento vulnerability which is referenced as CVE-2022-35689. This covers Magento Bug IDs PRODSECBUG-3177 and PRODSECBUG-318.

    Why do you need to patch for CVE2022-35689 ASAP?

    While some vulnerabilities are hard for hackers to exploit, these particular ones are considered comparatively easy for hackers to take advantage of. Most notably, PRODSECBUG-3177, a Cross-site Scripting (Stored XSS) vulnerability, does not require an attacker to be authenticated or have admin privileges.

    It’s always important to install security patches in a timely fashion, including in order to meet PCI and other compliance requirements. However, given the nature of this vulnerability, it’s important that Magento and Adobe Commerce website owners patch their sites immediately. 

    Magento 2.4.5-p1 and 2.4.4-p2

    For those that are already upgraded to Magento 2.4.5, Adobe has released patch 2.4.5-p1. This patch was written to address both of the newly disclosed security vulnerabilities. 

    For those on Magento 2.4.4, Adobe released the 2.4.4-p2 patch which similarly addresses these vulnerabilities. 

    What about older versions of Magento?

    For merchants that are still on older versions of Magento or Adobe Commerce, we will continue to share more information as it becomes available from our team, our partners, and the greater Magento Community. With that in mind, here’s an update from our security partners at Sansec:

     

    Additional October 13th, 2022 Update:

    In a Slack Account for Magento Community Engineering, a member of the Adobe team confirmed that they are working on a hotfix for all affected [supported] versions:

    CVE2022-35689 Magento Community Engineering chat about a hotfix for all supported versions

    We anticipate that release will include patches for users of Magento Open Source and Adobe Commerce versions 2.4.0 through 2.4.3. Since Magento 2.3.x reached end of life on September 8th, 2022, there is no information about patches for users that are still on a version of Magento 2.3.

    October 14th, 2022 Morning Update:

    Adobe has not published a definitive list of impacted versions of Magento Open Source and Adobe Commerce that are susceptible to these newly disclosed vulnerabilities. They also have not committed to providing patches for unsupported versions of Magento, including Magento 2.3.x. We are, however, starting to see open-source research and patches from the Magento community:

    https://github.com/EmicoEcommerce/Magento-APSB22-48-Security-Patches

    https://gist.github.com/jissereitsma/0aa5560367db698f1b44b7448c48bf66

    The safest and best choice is to upgrade to a supported version of Magento asap in order to use the official patches from Adobe. The patches which are being quickly formulated by the Magento Community may or may not be equivalent at this time. However, if you cannot upgrade your website to a supported version of Magento asap, it is recommended to communicate with your web developers about whether you should test an open-source solution as a stop-gap measure.

    October 14th Evening Update:

    CVE2022-35689 Magento Community Engineering update about a hotfix for all supported versions

    According to Nathan Smith from Adobe, they are still working on patches for older versions of Magento. These are anticipated to become available early in the week of October 17th. “We will not be able to finish the publication of the hotfixes by end of day today. We aim to have them ready and published early next week. We can say that as long as you have applied all available applicable security patches for your installed version, 2.4.3-p1/2.3.7-p2 and below are not affected. We will be releasing hotfixes for 2.4.3-p2, 2.4.3-p3, 2.4.4, 2.4.4-p1, and 2.4.5 early next week. We appreciate your patience.”

    This tells us that Magento 2.3.7-p2 and below, and Magento 2.4.3-p1 and below are unaffected. Patches for the impacted versions of Magento 2.4 are being worked on, but official patches for 2.3.7-p3 and 2.3.7-p4, which are end-of-life, are not pending at this time. Merchants on these versions of Magento should still be looking at community patches as we discussed in our update from this morning (see above).

    We will continue to update this article as more information becomes available.

    October 18th Update:

    Adobe has released its official security patches for additional supported versions of Magento and Adobe Commerce. This includes a patch for 2.4.4, 2.4.4-p1, and 2.4.5, and another patch for 2.4.3-p2 and 2.4.3-p3. To access these patches, please visit https://experienceleague.adobe.com/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/adobe-commerce-2.4.0-2.4.5-security-hotfix-for-cve-2022-35698.html?lang=en

    As Magento/Adobe Commerce 2.3.7 is outside of its support window, it isn’t addressed in this update. However, Nathan Smith of Adobe did confirm that merchants on 2.3.7-p3 and 2.3.7-p4 are vulnerable.

    CVE2022-35689 Magento Versions 2.3.7-p3 and 2.3.7-p4 are affected but not receiving official patches from Adobe

    Our previous recommendations still stand for merchants on these versions of Magento/Adobe Commerce. The safest and best choice is to upgrade to a supported version of Magento ASAP in order to use the official patches from Adobe. However, if you cannot upgrade your website to a supported version of Magento ASAP, talk to your web developers about whether you should test an open-source solution as a stop-gap measure, such as these patches: https://github.com/EmicoEcommerce/Magento-APSB22-48-Security-Patches

    For existing JetRails customers, we also want you to know that we use Cloudflare’s firewall to block a variety of XSS attacks. We are continuously working with our security partners to provide you with proactive security, but as always, we urge you to patch your sites. As the old saying goes, “An ounce of prevention is worth a pound of cure.”.

    About The Author
    Robert Rand
    Director of Partnerships & Alliances

    Robert is a Magento 1 and 2 Solution Specialist with over a decade of experience in helping merchants benefit from sound ecommerce and digital marketing strategies. He’s highly experienced at harnessing the power of ecommerce technologies and solutions to help businesses of all types and sizes grow and succeed.

    Get A Free Consultation From The JetRails Team

    Need Help With Hosting Support, Security, Scalability, Speed, or Stability?

      More Articles
      Why Improved Import & Export Is Such A Popular Magento 2 Extension
      View Article
      Magento 2.4.5 and August 2022 Magento Ecosystem News
      View Article
      Increasing eCommerce Revenue with Up-sell and Cross-sell Products
      View Article