On August 8, 2023, Adobe released a security update for Adobe Commerce and Magento Open Source. Adobe Commerce 2.4.6-p2 security patch is the latest release, providing a safer and more secure platform for e-commerce businesses. This update addresses critical vulnerabilities. If exploited, these vulnerabilities could lead to arbitrary code execution, privilege escalation, and arbitrary file system read.
This release is a testament to Adobe’s commitment to improving the security of its e-commerce platforms continuously. By proactively addressing potential vulnerabilities and providing timely security updates, Adobe ensures that its users can focus on growing their businesses without worrying about potential cyber threats like Brute Force Attacks, SQL injection, and more.
Key Features of the Adobe Commerce 2.4.6-p2
This release focuses on addressing vulnerabilities identified in previous versions and aligning with the latest security best practices.
Security Enhancements
This release brings forth several security improvements:
Three Main Security Fixes
The release includes three primary security fixes.
- XML Injection (CVE-2023-38207): This vulnerability can lead to arbitrary file system read and has been rated as “Important” with a CVSS base score of 5.3.
- OS Command Injection (CVE-2023-38208): This critical vulnerability can result in arbitrary code execution and has a CVSS base score of 9.1.
- Improper Access Control (CVE-2023-38209): This vulnerability can lead to privilege escalation and has been rated as “Important” with a CVSS base score of 6.5.
Affected Versions
The vulnerabilities impact the following versions of Adobe Commerce and Magento Open Source:
- Adobe Commerce: Versions 2.4.6-p1 and earlier, 2.4.5-p3 and earlier, 2.4.4-p4 and earlier, and several other versions.
- Magento Open Source: Versions 2.4.6-p1 and earlier, 2.4.5-p3 and earlier, 2.4.4-p4 and earlier.
Adobe recommends updating installations to the newest versions, which include:
- Adobe Commerce: Several updated versions exist, including Adobe Commerce 2.4.7 beta1, 2.4.6-p2 for 2.4.6 and earlier, 2.4.5-p4 for 2.4.5-p3 and earlier, and 2.4.4-p5 for 2.4.4-p3 and earlier.
- Magento Open Source: Magento 2.4.7 beta1, 2.4.6-p2 for 2.4.6 and earlier, 2.4.5-p4 for 2.4.5-p3 and earlier, 2.4.4-p5 for 2.4.4-p3 and earlier.
For a detailed discussion on these issues addressed, you can refer to the Adobe Security Bulletin.
Security Highlight
In the nginx.sample file, the value of fastcgi_pass has been reverted to its previous value of fastcgi_backend. This value was mistakenly changed to php-fpm:9000 in the Adobe Commerce 2.4.6-p1 release.
jQuery-UI Library Vulnerability (CVE-2022-31160)
The jQuery-UI library, a renowned user interface tool for jQuery, has been flagged with a security vulnerability. This vulnerability, identified as CVE-2022-31160, is specific to the 1.13.1 version of the library. As of the latest updates, Adobe has confirmed that there are no known active exploits for the issue addressed.
Affected Adobe Commerce Versions
- 2.4.4
- 2.4.5
- 2.4.6
These versions of Adobe Commerce have the compromised 1.13.1 version as a dependency.
Resolution by Adobe
In June 2023, Adobe took swift action to address this vulnerability:
- Released security-only patches: 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4.
- Updated the jQuery-UI library dependency to the more secure 1.13.2 version.
Note on Incomplete Updates
While the main jQuery-UI file was updated, certain additional module and widget files remained unchanged. As a result:
- Users of versions 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4 or earlier might still detect the jQuery-UI CVE issue during security scans.
Performance Issue: Config Files Loading Multiple Times (ACSD-51892)
In Adobe Commerce 2.4.6, a performance issue was identified where the app/etc/env.php and app/etc/config.php files are loaded multiple times during each request. This excessive file reading can strain the system, leading to a significant drop in overall performance. This issue becomes particularly evident during deployment or upgrade processes. After deploying or upgrading to Adobe Commerce 2.4.6 or later, the filesystem logs reveal repeated access to these files during the deployment. As a result, instead of a successful deployment within the expected timeframe, servers might struggle to respond, leading to “Error 503 first byte timeout” when accessing the website. The log files will show multiple entries indicating access to the app/etc/env.php and app/etc/config.php files.
Hotfixes
The 2.4.6-p2 release includes a resolution for the performance degradation addressed by patch ACSD-51892. Once applied, it prevents the excessive loading of the mentioned config files, ensuring smoother and faster performance. This patch is available with the Quality Patches Tool (QPT) 1.1.33. Additionally, it’s worth noting that this issue is slated to be resolved in the upcoming Adobe Commerce 2.4.7 release.
Merchants can apply this patch depending on their deployment method:
- For Adobe Commerce or Magento Open Source on-premises, refer to the Quality Patches Tool > Usage in the Quality Patches Tool guide.
- For Adobe Commerce on Cloud Infrastructure, refer to Upgrades and Patches > Apply Patches in the Commerce on Cloud Infrastructure guide.
Installation and Upgrade Instructions
The Adobe Commerce 2.4.6-p2 release, being a security release, necessitates careful installation and upgrade procedures to ensure the security and stability of your Adobe Commerce or Magento Open Source deployment.
Downloading and Applying Patches
For merchants looking to download and apply security patches, including the 2.4.6-p2 patch, Adobe provides a comprehensive guide. The Quick Start install guide offers step-by-step instructions to ensure a smooth patch application process.
In Closing
This blog post provides a comprehensive overview of the Adobe Commerce 2.4.6-p2 security release. Merchants are advised to stay updated with the latest releases and ensure they are implementing the recommended patches and upgrades for a secure and efficient e-commerce experience.
Adobe Commerce 2.4.6-p2 Security Patch: Enhancing E-commerce Security