Magento software

Critical vulnerability hits Magento Open Source and Adobe Commerce

Adobe announced a critical vulnerability affecting Adobe Commerce and Magento Open Source. Adobe Commerce merchants have been attacked and exploiting the vulnerability is in the wild right now.

An important detail of the vulnerability shared by Adobe is that no authentication is required to successfully execute a successful exploit.

This means that an attacker does not need to acquire a user login privilege to exploit the vulnerability.

The second detail about this exploit shared by Adobe is that administrator privileges are not required to exploit this vulnerability.

Adobe Vulnerability Assessments

Adobe has released three vulnerability assessment metrics:

  1. Common Vulnerability Scoring System (CVSS)
  2. Priority
  3. Vulnerability level

Common Vulnerability Scoring System (CVSS)

The Common Vulnerability Scoring System (CVSS) is an open standard developed by a nonprofit organization (First.org) that uses a scale of 1 to 10 to score vulnerabilities.

A score of one is the least concern and a score of ten is the highest severity level for a vulnerability.

The CVSS score for Adobe Commerce and Magento vulnerability is 9.8.

Vulnerability priority level

The priority metric has three levels, 1, 2, and 3. Level 1 is the most severe and level three is the least severe.

Adobe has listed the priority level of this exploit as 1, which is the highest level.

Level 1 priority rating means vulnerabilities are actively exploited in websites.

This is the worst case scenario for merchants as it means unpatched instances of Adobe Commerce and Magento are susceptible to hacking.

Adobe’s definition of priority level 1 is:

“This update resolves vulnerabilities that have been targeted, or have a higher risk of being targeted, by in-the-wild exploits for a given product version and platform.

Adobe recommends that administrators install the update as soon as possible. (for example, within 72 hours).

Vulnerability level

Adobe’s vulnerability ratings are named Moderate, Important, and Critical, with Critical representing the most dangerous level.

The vulnerability level assigned to the Adobe Commerce and Magento Open source exploit is classified as critical, which is the most dangerous rating level.

Adobe’s definition of critical evaluation level is:

“A vulnerability which, if exploited, would allow malicious native code to execute, potentially without the knowledge of the user.”

Arbitrary code execution exploit

What makes this vulnerability particularly concerning is the fact that Adobe has admitted that it is an arbitrary code execution vulnerability.

Executing arbitrary code generally means that the type of code an attacker can execute is not limited in scope, but is wide open to virtually any code they wish to execute in order to execute just about nothing. any task or command he wishes.

An arbitrary code execution vulnerability is a very serious type of attack.

Which versions are affected

Adobe has announced that an update patch has been released to correct the affected versions of its software.

The update release notes stated:

“The patches have been tested to resolve the issue for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.”

The main vulnerability announcement stated that Adobe Commerce versions 2.3.3 and lower are not affected. https://helpx.adobe.com/security/products/magento/apsb22-12.html

Adobe recommends that users of affected software update their installations immediately.

Quotes

Read the Adobe Security Bulletin

Security update available for Adobe Commerce | APSB22-12

Read the Adobe Commerce and Magento Open Source patch release notes

Security updates available for Adobe Commerce APSB22-12

Information on exploit severity ratings

Adobe Severity Ratings