Adobe announced it has released a patch for Magento 2 in order to fix multiple critical vulnerabilities. Some of the vulnerabilities could allow attackers to take over administrator sessions as well as grant access to customer information.
The vulnerabilities affecting the popular Magento ecommerce platform affect both the open source and commercial versions.
According to the Magento Open Source release notes:
“Thirty-three security enhancements that help close remote code execution (RCE) and cross-site scripting (XSS) vulnerabilities
No confirmed attacks related to these issues have occurred to date.
However, certain vulnerabilities can potentially be exploited to access customer information or take over administrator sessions.”
Vulnerabilities Patched in Magento Ecommerce Platform
Adobe announced the release of Magento 2.4.3 which contains a total of 33 security enhancements.
These security issues affect both the commercial and open source versions of Magento.
Commercial Magento Versions that are Affected:
- 2.4.2 and earlier versions
- 2.4.2-p1 and earlier versions
- 2.3.7 and earlier versions
Open Source Magento Versions that are Affected:
- 2.4.2-p1 and earlier versions
- 2.3.7 and earlier versions
Critical Magento Security Issues
Several of the security issues are rated critical.
Of particular note is that of the sixteen security vulnerabilities that were announced by Adobe, ten of them do not require any admin or user credentials in order to exploit Magento.
The remaining six vulnerabilities require that an attacker already have administrator level privilege.
Eleven of the vulnerabilities are rated as critical and the rest are rated as important.
Eleven Critical Vulnerabilities in Magento
While all vulnerabilities should not be disregarded, the ones rated as critical are relatively especially dangerous.
There are four kinds of vulnerabilities:
- Arbitrary code execution (7 vulnerabilities)
- Security feature bypass (2)
- Application denial-of-service (1)
- Privilege escalation (1)
Magento Arbitrary Code Execution
The Arbitrary Code Execution exploits affecting Magento consist of six kinds of attacks.
- Improper Access Control
- Improper Input Validation
- Path Traversal
- OS Command Injection
- Server-Side Request Forgery (SSRF)
- XML Injection (aka Blind XPath Injection)
Examples of Magento Security Feature Bypass Exploits
There are two kinds of Security Feature Bypass issues affecting Magento that are patched in Magento version 2.4.3.
- Improper Input Validation
This kind of issue relates to a failure to properly validate an input for dangerous for the software to process . This allows an attacker to craft an unexpected input that can lead to an arbitrary code execution. - Improper Authorization
An Improper Authorization exploit is when the software fails to properly check if the user has the privilege levels person making the inputs has the proper credentials.
A common feature of the above exploits is that they allow an attacker to gain access to sensitive locations in the software, allowing an attacker to execute arbitrary commands.
According to Adobe’s summary:
“Magento has released updates for Adobe Commerce and Magento Open Source editions. These updates resolve vulnerabilities rated critical and important. Successful exploitation could lead to arbitrary code execution.”
Magento Update Version 2.4.3
It’s safe to say that updating to the latest version of Magento is recommended to be considered. Adobe’s release notes state that there are some backward compatibility issues.
Some of the changes are released independently and can be updated in that way.
Please read the full Adobe release notes in the security bulletin.
Citations
Magento Open Source 2.4.3 Release Notes
Adobe Commerce 2.4.3 Release Notes