Skip to content

Instantly share code, notes, and snippets.

@wigman
Last active March 10, 2023 09:07
Show Gist options
  • Save wigman/171f9314d692d23330591d20cec3a9fd to your computer and use it in GitHub Desktop.
Save wigman/171f9314d692d23330591d20cec3a9fd to your computer and use it in GitHub Desktop.
Instructions for quick and dirty Magento 2 Store patch for exploit MDVA-43395

Security updates available for Magento - APSB22-12

Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.

Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants.

This vulnerability has a similar severity as the Magento Shoplift vulnerability from 2015. At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication.

– Sansec (https://sansec.io/research/magento-2-cve-2022-24086)

Proper way to patch

If you have time to do a new deployment, use this guide for reference: https://www.integer-net.com/applying-the-magento-security-patch-via-composer/

Quickest way to patch (temporary)

Since time is of the absolute essence, run this quick method if you can't do the above today.

Whatever you do, do it TODAY!

  1. Download and extract the composer patch from https://github.com/magento/knowledge-base/blob/main/src/troubleshooting/known-issues-patches-attached/assets/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip?raw=true
  2. SSH into your server and cd into the Magento root directory
  3. Create and edit a new file MDVA-43395.patch, insert the contents of the MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch file from the archive above
  4. Run patch -p1 < MDVA-43395.patch, or if that fails, run patch -p2 < MDVA-43395.patch
  5. Just in case, if you have OPCache running, try to flush it if you have the rights. Restarting your PHP service also takes care of this.
  6. Run bin/magento cache:flush
  7. Take a breath, then plan to implement a proper fix. Probably Adobe comes with a patch-release update for all Magento versions soon.

UPDATE 17 February 22

An additional patch was released in followup of the above.

Full information can be found on the Adobe Security Bulletin page: https://helpx.adobe.com/security/products/magento/apsb22-12.html

Instructions are basically the same as above, but the addtional patches are more extensive than the first one, so inevitably the patches are different per Magento versions.

If you are on 2.4.3, the new composer patch is here: https://github.com/magento/knowledge-base/blob/main/src/troubleshooting/known-issues-patches-attached/assets/MDVA-43443_EE_2.4.3-p1_v1.patch.zip?raw=true

If you are on 2.3.4-p2 till 2.4.2-p2, the new composer patch is here: https://github.com/magento/knowledge-base/blob/main/src/troubleshooting/known-issues-patches-attached/assets/MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip?raw=true

If you are on 2.3.3-p1 till 2.3.4, the new composer patch is here: https://github.com/magento/knowledge-base/blob/main/src/troubleshooting/known-issues-patches-attached/assets/MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip?raw=true

After downloading the patch, put the file in the root of your webdirectory and run the commandline patch command again, as described above.

CSS in email template break after applying the patch

If you have manually added CSS to transactional emails through the Magento Admin, these styles break after applying the patch above. (Credits to integer_net for reporting this issue)

There is currently no fix available yet, but you should 100% rather apply the patch and have broken email styles than not patching!

You can check wheter you have custom styles enabled for your emails by checking if you have any content in the Template Styles field in the email templates in the Magento Admin, or run the following SQL command:

SELECT COUNT(*) FROM `email_template` WHERE template_styles like '%{%';
@convenient
Copy link

@Morgy93 sorry I can't debug your setup I've never seen anything like this happening. However by running composer patch:apply --no-interaction -vvv you should see the stack trace and following that should be apparent what part of the code is operating and trying to grab from the source.

@Morgy93
Copy link

Morgy93 commented Feb 18, 2022

@convenient I reproduced it just fine on a new setup. If you're still willing to help please have a look: vaimo/composer-patches#91

@convenient
Copy link

@Morgy93 did you actually download and save these files at the locations within your repository?

patches/magento/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch
patches/magento/MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch

Maybe its trying to look them up from the remote if you do not have them in your LFS?

@Morgy93
Copy link

Morgy93 commented Feb 18, 2022

@convenient You don't have to. The download happens before the patch file check. This is also confirmed by vaimo/composer-patches#71

And a completely different error is thrown:
image
(The -vvv then says the file does not exist)

edit: I just saw you also answered the issue, let's continue there.

@mrtuvn
Copy link

mrtuvn commented Mar 10, 2023

So how we properly add styles correctly after apply new patch ?
From my understand css styles in less for email will not affected after apply patch right ? What about the case we add styles inline directly inside template email ?

email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment