Adobe recently published a security bulletin (APSB22-12) for a Zero Day exploit that allows remote code execution on your Magento site. You can find the bulletin here.
The exploit is applicable for:
- Adobe Commerce: 2.3.3-p1 -> 2.3.7-p2 and 2.4.0 -> 2.4.3-p1
- Magento Open Source: 2.3.3-p1 -> 2.3.7-p2 and 2.4.0 -> 2.4.3-p1
If you are on an applicable version it is recommended that you apply their patch (MDVA-43395) immediately.
How to apply the patch
On your environment you just need to run the following the commands:
composer require --update-no-dev zero1limited/magento2-patches:1.0.19 composer require --update-no-dev cweagans/composer-patches:^1.6.5 bin/magento module:enable Zero1_Patches bin/magento patch:add --patch=MDVA-43395 composer install --no-dev
This will add and apply the patch to your site. You will then need to commit the following files to source control:
Equally if you didn't have the patches module install previously you will need to run the following:
bin/magento setup:upgrade --keep-generated
Where to apply the patch
We strongly recommend applying the patch in a development environment first so that regression tests can be done before releasing.
With MDOQ managed Magento hosting this is a very simple task, creating an isolated full replica of production takes minutes. You can then also deploy to production using the MDOQ deployment pipeline. (The whole process can easily be completed today).
If you don't have an easy way to get changes live, because of the severity you will need to run the commands on production.
If you're struggling with Magento development and/or deployments please get in touch (firstname.lastname@example.org) to see how we can help.