Alert! Security Update for Adobe Commerce- APSB22-12

On 13th February 2022, Adobe released a security vulnerability patch named APSB22-12 for Magento version above 2.3.3.

The security update for Adobe Commerce works for Magento open-source as well as Commerce editions. Let’s understand more about the Security Update for Adobe Commerce and why it is necessary to implement it.

What is the Magento 2 Security Patch Update for?

The update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploiting in the wild for a given product version and platform. The successful exploitation of CVE-2022-24086 could lead to arbitrary code execution.

Read more about the security update here.

Which versions should implement the Security Update for Adobe Commerce?

Product Version Platform
Adobe Commerce           2.4.3-p1 and earlier versions , 2.3.7-p2 and earlier versions All
Magento Open Source 2.4.3-p1 and earlier versions, 2.3.7-p2 and earlier versions All
Note: Adobe Commerce 2.3.3 and lower are not affected.

How to apply a security patch for Adobe Commerce APSB22-12?

If you are using the commerce cloud edition, you need to put the patch file into the directory “m2-hotfixes” and run the integrated deployment process.

For the other platform (except Adobe Commerce Could), Adobe instructed to apply it on the command line:

patch -p1 < %patch_name%.composer.patch

This will not work well with continuous integration because this command and the file have to be added to the deployment pipeline.

Hence there is one solution for that:

You can apply the patch via composer which is one solution that is used by Magento anyway. If done correctly, the patch will be applied every time a composer command like “composer install” is called. Typically, this is already done by the deployment pipeline, there will be no need to adjust it.

Please follow the below step to apply the patch using composer:

  • You have to add a composer plugin with the below command.

composer require cweagans/composer-patches

With this, the Magento 2 Security Patch plugin developed by Cameron Eagans is installed. It will apply to the patch files automatically.

  • The patch file from Adobe needs some small changes with the directory paths because the Composer Patches plugin applies them per repository instead of globally.

So, we need to divide the patch file into one file per repository which is affected – in this case, we need one for magento/framework and one for Magento/module-email. Then, the paths inside the files have to be adjusted so they don’t contain the “vendor/magento/framework/” or “vendor/magento/module-email” part anymore.

 

All these patch files must be added to a new “patches” subdirectory in your Magento repository.

  • Moving further, we have to modify the composite.json file with a few lines of code like this:

“extra”: {

        […]

        “composer-exit-on-patch-failure”: true,

        “patches”: {

            “magento/framework”: {

                “MDVA-43395”: “patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-framework.patch”

            },

            “magento/module-email”: {

                “MDVA-43395”: “patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-module-email.patch”

            }

        }

    },

  • “magento/framework” and “magento/module-email” are the repositories to which the patch files should be applied. It is followed by an identifier “MDVA-43395” and the full path to the patch file.
  • Now you can call “composer install” and the patches are applied automatically. This patch file brings two files affected:
    • vendor/magento/module-email/Model/Template/Filter.php
    • vendor/magento/module-email/Model/Template/Filter.php

We hope this makes it easier for you to apply this critical Magento 2 security patch for your store. For further assistance, you can connect with our experts.

Leave a Reply

Your email address will not be published. Required fields are marked *