background

October 13, 2022

No APSB22-48 patches for Magento 2.3

Yireo Blog Post

A serious Magento vulnerability has come to the light. Adobe labeled it with security issue APSB22-48. And yesterday, October 12th, new patch releases came out for 2.4.5 (being 2.4.5-p1) and 2.4.4 (being 2.4.4-p2). But what about 2.4.3 and older? What about Magento 2.3? Are we screwed?

The vulnerability

The vulnerability was reported by a security expert (dubbed @Blaklis_ on Twitter) who also mentioned jokingly that the vulnerability isn't that hard to exploit. The security issue APSB22-48 reports two vulnerabilities: One vulnerability CVE-2022-35698 (aka Magento code PRODSECBUG-3177) is labeled as critical and the other one CVE-2022-35689 (aka Magento code PRODSECBUG-3180) is labeled as medium. And especially the first one - CVE-2022-35698 - sounds worrisome: It seems to be a XSS (Cross-site scripting) attack leading to arbitrary code execution (which could have a huge impact on any shop left unpatched).

It is nice to hear that patch versions came out for Magento 2.4.4 and 2.4.5. I patched my own shop immediately (fist-bump) and assume that I'm a lucky bastard because of this.

Older Magento versions

But the vulnerability is mentioned to be there for Magento 2.4.5 and older versions. So what about 2.4.0 to 2.4.3? And what about 2.3? The current official word is that no patch will be released by Adobe, because these older versions are no longer supported.

For instance, Magento 2.4.3 is vulnerable but officially End-of-Life in November 28 ... which leaves us - huh? - still 6 weeks of software support. But apparently this excludes huge security issues like this one? I'm not getting it.

Magento 2.3 went EOL on September 8th 2022, which is now about 6 weeks ago. So here, the lacking of a patch makes sense. Simply put, if you are on Magento 2.3, you are screwed.

Reverse engineering

The lack of support is debatable. But it is certainly a pity that a release - instead of a patch - was released (like 2.4.5-p1). This, while the official word that came out months ago (disclaimer: I couldn't find the official writing for this quick enough) was to focus more upon patches than releases. And no patch is available as of yet.

People are jumping on the vulnerability as we speak, to reverse engineer things. A GitHub diff between 2.4.4-p1 and 2.4.4-p2 reveals numerous unimportant composer changes. But there are also various changes in the area of the class lib/internal/Magento/Framework/Filter/Template.php (with type casts and additional signing, with impact in for example REST endpoints). Sansec pointed out that a search for preg_match_all($directiveProcessor->getRegularExpression() specifically would show where things are modified.

Summary

The vulnerability is said to be exploited easily. Usually, this means that sooner or later, the attacks in the wild go up in time. And this could proof to be a very problematic issue for numerous merchants across the ecosystem. And this definitely includes shops that are running outdated versions, simply because upgrading Magento can be very problemetic on its own. Let's hope that smart people are able to create solutions (read: patches) here soon.

Follow-up 1 (October 14th)

The following patch was mentioned in Slack, is now converted to a Gist and should be usable under Magento 2.4.3, 2.3.7-p3, 2.3.6-p1, 2.2.11 and possibly other versions: gist.github.com/jissereitsma/0aa5560367db698f1b44b7448c48bf66. The patch assumed the usage of a composer patches configuration (as for instance with the cweagans package) like the following:

{
  "extra": {
    "patches": {
      "magento/framework": {
        "APSB22-48": "patches/magento.APSB22-48.patch"
      }
    }
  }
}

Follow-up 2 (October 14th)

The agency Emico has released various security patches via the repository EmicoEcommerce/Magento-APSB22-48-Security-Patches. It includes a couple more fixes in other modules.

Posted on October 13, 2022

About the author

Author Jisse Reitsma

Jisse Reitsma is the founder of Yireo, extension developer, developer trainer and 3x Magento Master. His passion is for technology and open source. And he loves talking as well.

Sponsor Yireo

Looking for a training in-house?

Let's get to it!

We schrijven niet te commerciële dingen, we richten ons op de technologie (waar we dol op zijn) en we komen regelmatig met innovatieve oplossingen. Via onze nieuwsbrief kun je op de hoogte blijven van al deze coolness. Inschrijven kost maar een paar seconden.

Do not miss out on what we say

This will be the most interesting spam you have ever read

We schrijven niet te commerciële dingen, we richten ons op de technologie (waar we dol op zijn) en we komen regelmatig met innovatieve oplossingen. Via onze nieuwsbrief kun je op de hoogte blijven van al deze coolness. Inschrijven kost maar een paar seconden.