How To Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability In Magento

On Sunday, Feb 13, Adobe published a Security Bulletin. The company has rolled out patches for a new Critical 0-day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products. The vulnerability tracked as CVE-2022-24086 is characterized as improper input validation. Attackers could abuse this to achieve arbitrary code execution on the vulnerable versions of the products since this is a pre-authenticated flaw with the CVSS score of 9.8 out of 10. It is critical and being exploited in the wild. It would be best if you fixed it. In this post, let’s see How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products.

What Is Improper Input Validation?

First, see what Input Validation is. Input validation is a common technique used to check potentially dangerous inputs to ensure that the inputs are safe for processing within the code or when communicating with other software components. When software fails to validate input properly, attackers are able to craft the malicious input in a form that is not expected by the rest of the application. This will lead to parts of the system receiving unintended input, resulting in altered control flow, arbitrary control of a resource, or arbitrary code execution.

Summary Of CVE-2022-24086- A Arbitrary Code Execution Vulnerability In Magento And Commerce:

This is a pre-authenticated flaw characterized as improper input validation. Attackers could abuse this to achieve arbitrary code execution on the vulnerable versions of the Adobe products.

Associated CVE ID CVE-2022-0513
Description Improper input validation in Magento and Commerce open source adobe products.
Associated ZDI ID
CVSS Score 9.8 Critical
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Impact Score
Exploitability Score
Attack Vector (AV) Network
Attack Complexity (AC) Low
Privilege Required (PR) None
User Interaction (UI) None
Scope Unchanged
Confidentiality (C) High
Integrity (I) High
availability (a) High

Adobe Products Affected By The CVE-2022-24086 Vulnerability:

The vulnerability affects Magento and Commerce open-source Adobe products 2.4.3-p1 and earlier versions and 2.3.7-p2 and earlier versions.

Note: Adobe confirmed that Commerce 2.3.3 and lower are not affected.

Product Version Platform
 Adobe Commerce 2.4.3-p1 and earlier versions   All
2.3.7-p2 and earlier versions   All
Magento Open Source 2.4.3-p1 and earlier versions        All
2.3.7-p2 and earlier versions All

How To Fix CVE-2022-24086- Arbitrary Code Execution Vulnerability In Magento And Commerce?

Adobe has responded to the vulnerability by rolling out patches to fix it. Adobe recommends users update their installation to the latest version. Here you can see the patched version details in the table.

Product Updated Version Platform Priority Rating Installation Instructions
Adobe Commerce MDVA-43395_EE_2.4.3-p1_v1 All 1 Release Notes

How to Fix CVE-2022-24086- Arbitrary Code Execution Vulnerability in Magento and Commerce?

  1. Download the Patches

    Download one of the following patches:

    MDVA-43395_EE_2.4.3-p1_v1.patch.zip

    MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip

  2. Apply a composer patch for Adobe Commerce on cloud infrastructure

    Copy the %patch_name%.composer.patch file(s) to the m2-hotfixes directory. Create the directory in the project root if you don’t have.

    Add, commit, and push your code changes:

    # git add -A
    # git commit -m “Apply %patch_name%.composer.patch patch”
    # git push origin

    Click here for more information.

  3. Apply a composer patch for Adobe Commerce on-premises and Magento Open Source

    Upload the downloaded patch files to your Adobe Commerce on-premises or Magento Open Source root directory. Run the following command

    # patch -p1 < %patch_name%.composer.patch
    OR
    # patch -p2 < %patch_name%.composer.patch

  4. Refresh the cache

    Refresh the cache to apply the changes:
    Admin under System > Cache Management.

We hope this post will help you know How to Fix CVE-2022-24086- A Critical 0-Day Arbitrary Code Execution Vulnerability in Magento and Commerce open-source Adobe products. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this. 

原创文章,作者:ItWorker,如若转载,请注明出处:https://blog.ytso.com/tech/aiops/270153.html

(0)
上一篇 2022年6月24日 04:39
下一篇 2022年6月24日 04:39

相关推荐

发表回复

登录后才能评论