Adobe Security Bulletin

Security update available for Adobe Commerce | APSB22-12

Bulletin ID	Date Published	Last Updated	Priority
APSB22-12	February 13, 2022	February 17, 2022	1

Summary

Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.

In order to stay up to date with the latest protections, customers must apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it.

Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.

Affected Versions

Product	Version	Platform
Adobe Commerce	2.4.3-p1 and earlier versions	All
Adobe Commerce	2.3.7-p2 and earlier versions	All
Magento Open Source	2.4.3-p1 and earlier versions	All
Magento Open Source	2.3.7-p2 and earlier versions	All

Note: Adobe Commerce and Magento Open Source versions 2.3.0 to 2.3.3 are not affected.

Solution

Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version.

Product	Updated Version	Platform	Priority Rating	Installation Instructions
Adobe Commerce 2.4.3 - 2.4.3-p1 Magento Open Source 2.4.3 - 2.4.3-p1	MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_v1.patch.zip	All	1	Release Notes

Adobe Commerce 2.3.4-p2 - 2.4.2-p2 Magento Open Source 2.3.4-p2 - 2.4.2-p2	MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_v1.patch.zip

Adobe Commerce 2.3.3-p1 - 2.3.4 Magento Open Source 2.3.3-p1 - 2.3.4	MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.3.4_v1.patch.zip

Vulnerability Details

Vulnerability Category	Vulnerability Impact	Severity	Authentication required to exploit?	Exploit requires admin privileges?	CVSS base score	CVSS vector	Magento Bug ID	CVE number(s)
Improper Input Validation (CWE-20)	Arbitrary Code Execution	Critical	No	No	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	PRODSECBUG-3118	CVE-2022-24086
Improper Input Validation (CWE-20)	Arbitrary Code Execution	Critical	No	No	9.8	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	PRODSECBUG-3120	CVE-2022-24087

Vulnerability Category

Vulnerability Impact

Severity

Authentication required to exploit?

Exploit requires admin privileges?

CVSS base score

CVSS vector

Magento Bug ID

CVE number(s)

Improper Input Validation (CWE-20)

Arbitrary Code Execution

Critical

No

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PRODSECBUG-3118

CVE-2022-24086

Improper Input Validation (CWE-20)

Arbitrary Code Execution

Critical

No

9.8

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

PRODSECBUG-3120

CVE-2022-24087

Revisions

February 17th, 2022:

- Updated affected versions for CVE-2022-24086

- Updated CVE details and acknowledgements for CVE-2022-24087

February 14th, 2022:

- Clarified column headers in Vulnerability Details table

Acknowledgements

Adobe would like to thank the following researchers for reporting this issue and working with Adobe to help protect our customers:

Eboda & Blaklis (CVE-2022-24087)

For more information, visit https://helpx.adobe.com/security.html, or email PSIRT@adobe.com.