Install Immediately: Magento 2 Security Patches MDVA-43395 & MDVA-43443 to Fix RCE Vulnerability

Attention Magento store owners⚠️

If you are running your store on Adobe Commerce (2.3.3-p1-2.3.7-p2) and Magento Open Source (2.4.0-2.4.3-p1), then your store is at high risk!

A zero-day bug is being exploited in the above-mentioned versions of Magento in the wild by the attackers, which has forced Adobe to roll out emergency security patches to secure the stores.

The detected RCE bug can allow the attackers to execute arbitrary codes on the stores and harm them. Here is how you can secure your online Magento store from the Adobe RCE bug.

Critical RME Bug Discovered in Adobe Commerce & Magento Open Source

On Sunday, Feb 13, 2022, Adobe released an emergency security patch – MDVA-43395 for the Magento stores to fix the newly discovered RCE bug in the Adobe Commerce and Magento Open Source. “These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution,” mentioned the Adobe security bulletin – APSB22-12.

Common Vulnerabilities and Exposures (CVE) database that manages the public security flaws, assigned CVE-2022-24086 as the tracking id to the vulnerability. CVSS declared the vulnerability to be critical and rated it  9.8/10, which needs to be fixed immediately.

On Feb 17, 2022, Abobe released another security patch – MDVA-43443 to fix the security vulnerability in the affected versions and updated the security tracking ID to CVE-2022-24087, with updated details and information on the improper input validation vulnerability.  “In order to stay up to date with the latest protections, customers must apply two patches: MDVA-43395 patch first, and then MDVA-43443 on top of it,” declared Adobe.

Adobe Released MDVA-43395 & MDVA-43443 Security Patches to Fix the Vulnerability

 

Adobe released the following patches for the affected versions of Adobe commerce & Magento open source:

The RCE vulnerability is highly critical and serious enough to force Adobe to warrant an immediate security patch. Thus, Meetanshi recommends patching the Magento stores with the latest Adobe security patch to build a solid security shield against the known security loophole.

You can use Meetanshi’s Magento Patch Installation Service to get the latest security patch installed on your Magento platform and safeguard your store against any such security vulnerabilities.

Install Magento 2 Security Patch

4.9
(based on 16 Reviews)
Install Immediately: Magento 2 Security Patches MDVA-43395 & MDVA-43443 to Fix RCE VulnerabilityAuthor Magento Badge

Sanjay Jethva

Sanjay is a co-founder at Meetanshi. He is a Certified Magento Developer who loves creating Magento E-commerce solutions. Owing to his contributions in Magento Forums and posting solutions, he is among the top 50 contributors of the Magento community in 2019. When he is not engrossed with anything related to Magento, he loves to play cricket.

6 Comments

  • brat

    Hi Sanjoy,

    I have applied these two patches MDVA-43395 and MDVA-43443 on our magento ecommerce platform. Now how can I verify and show proof that those are applied successfully to my Client as in scan tool still shows the alert? But from my own end the following patches files are updated

    vendor/magento/framework/Filter/DirectiveProcessor/DependDirective.php
    vendor/magento/framework/Filter/DirectiveProcessor/ForDirective.php
    vendor/magento/framework/Filter/DirectiveProcessor/IfDirective.php
    vendor/magento/framework/Filter/DirectiveProcessor/SimpleDirective.php
    vendor/magento/framework/Filter/DirectiveProcessor/VarDirective.php
    vendor/magento/module-email/Model/Template/Filter.php

    • Sanjay Jethva

      Hello Brat,
      All of the patches file will be updated.
      If anyone wants to confirm whether the patch is installed properly or not then you can check those patch files and compare the old one with the newest one after installing the patch.
      If the patch is not applied then on the patches file one .reg file would be generated. You can check that
      Thank You

  • Ray carter

    I have updated this patch in Magento 2.4.3. now how I can check this patch.is updated this.

    • Sanjay Jethva

      Hello Ray,
      You can check the change in the below location
      vendor\magento\framework\Filter\DirectiveProcessor\
      You can observe a change in the below files:
      DependDirective
      ForDirective
      IfDirective
      SimpleDirective
      VarDirective

      Plus, this file has also been updated.
      vendor\magento\module-email\Model\Template\Filter.php
      Thank You

  • Vikram

    This patches not working on Magento CLI 2.4.2.

Leave a Reply

Your email address will not be published.