A serious Magento vulnerability has come to the light. Adobe labeled it with security issue APSB22-48. And yesterday, October 12th, new patch releases came out for 2.4.5 (being 2.4.5-p1) and 2.4.4 (being 2.4.4-p2). But what about 2.4.3 and older? What about Magento 2.3? Are we screwed?
The vulnerability
The vulnerability was reported by a security expert (dubbed @Blaklis_ on Twitter) who also mentioned jokingly that the vulnerability isn't that hard to exploit. The security issue APSB22-48 reports two vulnerabilities: One vulnerability CVE-2022-35698 (aka Magento code PRODSECBUG-3177) is labeled as critical and the other one CVE-2022-35689 (aka Magento code PRODSECBUG-3180) is labeled as medium. And especially the first one - CVE-2022-35698 - sounds worrisome: It seems to be a XSS (Cross-site scripting) attack leading to arbitrary code execution (which could have a huge impact on any shop left unpatched).
It is nice to hear that patch versions came out for Magento 2.4.4 and 2.4.5. I patched my own shop immediately (fist-bump) and assume that I'm a lucky bastard because of this.
Older Magento versions
But the vulnerability is mentioned to be there for Magento 2.4.5 and older versions. So what about 2.4.0 to 2.4.3? And what about 2.3? The current official word is that no patch will be released by Adobe, because these older versions are no longer supported.
For instance, Magento 2.4.3 is vulnerable but officially End-of-Life in November 28 ... which leaves us - huh? - still 6 weeks of software support. But apparently this excludes huge security issues like this one? I'm not getting it.
Magento 2.3 went EOL on September 8th 2022, which is now about 6 weeks ago. So here, the lacking of a patch makes sense. Simply put, if you are on Magento 2.3, you are screwed.
Reverse engineering
The lack of support is debatable. But it is certainly a pity that a release - instead of a patch - was released (like 2.4.5-p1). This, while the official word that came out months ago (disclaimer: I couldn't find the official writing for this quick enough) was to focus more upon patches than releases. And no patch is available as of yet.
People are jumping on the vulnerability as we speak, to reverse engineer things. A GitHub diff between 2.4.4-p1 and 2.4.4-p2 reveals numerous unimportant composer changes. But there are also various changes in the area of the class lib/internal/Magento/Framework/Filter/Template.php (with type casts and additional signing, with impact in for example REST endpoints). Sansec pointed out that a search for preg_match_all($directiveProcessor->getRegularExpression() specifically would show where things are modified.
Summary
The vulnerability is said to be exploited easily. Usually, this means that sooner or later, the attacks in the wild go up in time. And this could proof to be a very problematic issue for numerous merchants across the ecosystem. And this definitely includes shops that are running outdated versions, simply because upgrading Magento can be very problemetic on its own. Let's hope that smart people are able to create solutions (read: patches) here soon.
Follow-up 1 (October 14th)
The following patch was mentioned in Slack, is now converted to a Gist and should be usable under Magento 2.4.3, 2.3.7-p3, 2.3.6-p1, 2.2.11 and possibly other versions: gist.github.com/jissereitsma/0aa5560367db698f1b44b7448c48bf66. The patch assumed the usage of a composer patches configuration (as for instance with the cweagans package) like the following:
{
"extra": {
"patches": {
"magento/framework": {
"APSB22-48": "patches/magento.APSB22-48.patch"
}
}
}
}
Follow-up 2 (October 14th)
The agency Emico has released various security patches via the repository EmicoEcommerce/Magento-APSB22-48-Security-Patches. It includes a couple more fixes in other modules.
About the author
Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and 3x Magento Master. His passion is for technology and open source. And he loves talking as well.
