Last week Adobe announced a critical vulnerability affecting Adobe Commerce and Magento Open Source. The first alert was received at the end of January. And on Sunday, February 13, Adobe was already releasing the necessary patches to solve the problem. Independent security experts, such as Willem de Groot, managing director and founder of specialist Magento security outlet Sansec, have noted that steps have been taken to implement a fix faster than normal.
One of the most important details of this vulnerability is that no authentication is required to successfully execute a successful exploit. This means that an attacker does not need to acquire a user login privilege to exploit the vulnerability.
Another noteworthy detail of this exploit is that administrator privileges are not required to exploit this vulnerability.
Adobe vulnerability ratings
Adobe published three scoring metrics for vulnerabilities:
- Common Vulnerability Scoring System (CVSS)
- Priority
- Vulnerability level
Common Vulnerability Scoring System (CVSS)
Common Vulnerability Scoring System (CVSS) is an open standard developed by a non-profit organization (First.org) that uses a scale of 1 to 10 to rate vulnerabilities.
A score of one is the least worrisome and a score of ten is the highest severity level of a vulnerability.
The CVSS score for this Adobe Commerce and Magento vulnerability is 9.8.
Vulnerability Priority Level
The priority metric has three levels, 1, 2, and 3. Level 1 is the most serious and level three is the least serious.
Adobe has listed the priority level of this exploit as 1, which is the highest level.
Level 1 priority level means that the vulnerabilities are being actively exploited on the websites. This is the worst case scenario for eCommerce. It means that unpatched instances of Adobe Commerce and Magento are vulnerable to being hacked.
Vulnerability level
Adobe’s vulnerability levels are moderate, important, and critical, with critical being the most dangerous level.
The vulnerability level assigned to the open source Adobe Commerce and Magento exploit is classified as critical.
Adobe’s definition of critical qualification level is:
“A vulnerability that, if exploited, would allow malicious native code to execute, potentially without the user’s knowledge.”
Arbitrary Code Execution Exploitation
What makes this vulnerability especially concerning is the fact that Adobe has admitted that it is an arbitrary code execution vulnerability.
Arbitrary code execution generally means that the type of code an attacker can execute is not limited in scope, but rather open to pretty much any code you want to run just about any task or command you want.
An arbitrary code execution vulnerability is a very serious type of attack.
Which versions are affected
Adobe has indicated that versions 2.3.3 and earlier of Adobe Commerce are not affected. And it has released an update patch to fix the affected versions of its software. In the update note, Adobe stated:
“Patches to resolve the issue have been tested on all versions from 2.3.3-p1 to 2.3.7-p2 and 2.4.0 to 2.4.3-p1.”
Adobe recommends that users of affected software update their installations immediately.
Therefore, the affected versions are Adobe Commerce and Magento Open Source products and versions 2.3.3-p1 – 2.3.7-p2 and 2.4.0 – 2.4.3-p1. In the following link all the patches for the different versions are available.
The most stable content manager
If the value of Adobe’s CMS stands out for anything, it is because of its stability and its low propensity for vulnerabilities. In fact, we have to go back to 2015 to find a similar issue with Magento, when the vulnerability known as Magento Shoplift occurred.