Magento 2 critical vulnerability (CVE-2022-24086). See the way to fix it.

Magento 2 critical vulnerability (CVE-2022-24086). See the way to fix it.

On February 13th, 2022, Adobe has released a security patch - Adobe Commerce APSB22-12 for vulnerability CVE-2022-24086. A bit later they announced another critical patch for Magento 2: MDVA-43395.

Here we will show you the ways to apply patch. You will also see the Adobe versions affected by vulnerability. Don’t ignore the information. Read and install security updates.

A few words about CVE 2022-24086

The CVE-2022-24086 is about a remote code execution (RCE) without authentification. That brings hackers the opportunity to scan the internet for vulnerable sites and get full control over managing stores.

No one wants that.

To avoid this you have to install the new security patch as soon as possible.

Adobe versions vulnerable to exploitation

  • 2.4.3-p1, 2.3.7-p2 and earlier versions of Adobe Commerce.
  • 2.4.3-p1, 2.3.7-p2 and earlier versions of Magento Open Source.

Adobe Commerce 2.3.3 and lower versions are not affected.

Pulling a patch for security vulnerability

First you should download the patch. Follow Adobe instructions.

And here you can learn on how to apply a composer patch for Adobe Commerce on-premises, Adobe Commerce on cloud infrastructure, and Magento Open Source.

Here’s also another quick way to apply a patch.

  1. SSH into your server and cd into the Magento root directory.
  2. Create and edit a new file MDVA-43395.patch, insert the contents of the MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch file from the archive above.
  3. Run “patch -p1 < MDVA-43395.patch”, or if that fails, run “patch -p2 < MDVA-43395.patch”.
  4. If you have OPCache running, try to flush it if you have the rights. Restarting your PHP service is also the way.
  5. Run “bin/magento cache:flush”.

The next step is to apply another patch for Magento 2: MDVA-43443. You have to install it on top of the last emergency patch .

For now, this way is the only one before the patch-release update the Adobe will likely comes with soon.

Well, after assessing security vulnerabilities, it is important to apply security updates at lightning speed. If you still have questions, please Contact Us.

3 thoughts on “Magento 2 critical vulnerability (CVE-2022-24086). See the way to fix it.”

  • Ramzi

    thank you for providing the patching instruction

    For magento open source ver 2.4.3-p1 do we only patch

    patch -p1 < MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch


    patch -p1 < MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch

    or we also need to patch:

    MDVA-43395_EE_2.4.3-p1_v1.patch and MDVA-43443_EE_2.4.3-p1_v1.patch

    Thank you

    • Roman B.

      Hi, you need first apply patch MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch and then MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch. This patches are used if you installed Magento 2 using composer. Patches MDVA-43395_EE_2.4.3-p1_v1.patch and MDVA-43443_EE_2.4.3-p1_v1.patch are used if you have installed Magento 2 directly.

  • David

    Is there a way to check to make sure they were applied correctly?

Leave a Reply