Alert Logic is actively researching two newly announced critical vulnerabilities in Adobe’s Commerce and Magento Open Source products. These vulnerabilities, CVE-2022-24086 and CVE-2022-24087, could allow attackers to achieve remote code execution. Adobe has reported CVE-2022-24086 as under active exploitation in the wild.
Adobe has released security updates to address these vulnerabilities. It is recommended that you apply patches as soon as possible if you are running the following affected products:
- Adobe Commerce – 2.4.3-p1 and earlier versions
- Adobe Commerce – 2.3.7-p2 and earlier versions after 2.3.3
- Magento Open Source – 2.4.3-p1 and earlier versions
- Magento Open Source – 2.3.7-p2 and earlier versions
For more information on this vulnerability and the security updates available, refer to Adobe’s Security Bulletin.
Alert Logic is not affected by this vulnerability.
Alert Logic Coverage
Vulnerability Scanning: Alert Logic released scan coverage on February 15, 2022, by 20:00 CDT to identify this vulnerability. A scan performed after this release will check for the version of Magento, and an exposure will be raised for CVE-2022-24086 if a vulnerable version is found.
Network IDS: Alert Logic has released IDS telemetry signatures to aid in detection research.
Web Application Firewall: Alert Logic is researching this threat to determine whether web application coverage is appropriate for this threat.
Log Management: Alert Logic has deployed initial telemetry analytics to aid in detection research.
Recommendations for Mitigation
Adobe has released patches to address this vulnerability. Alert Logic highly recommends that you apply the patches as soon as possible if you are running the following affected products:
- Adobe Commerce – 2.4.3-p1 and earlier versions
- Adobe Commerce – 2.3.7-p2 and earlier versions
- Magento Open Source – 2.4.3-p1 and earlier versions
- Magento Open Source – 2.3.7-p2 and earlier versions
Note: Adobe Commerce and Magento Open Source versions 2.3.0 to 2.3.3 are not affected.
For more information on this vulnerability and the security updates available, refer to Adobe’s Security Bulletin.
Updates
This article will be updated with new information about this vulnerability and related Alert Logic coverage as it becomes available. To follow updates for this vulnerability, click FOLLOW at the top of this article. You must be signed into the Support Center using your Alert Logic product credentials to follow this article.
02/15/2022: This article has been updated to include information about the current status of Alert Logic coverage, including coverage still in development. Additional updates will be posted as coverage is released.
02/16/2022: Alert Logic released scan coverage on February 15, 2022, by 20:00 CDT to identify this vulnerability. A scan performed after this release will check for the version of Magento, and an exposure will be raised in the Alert Logic console for CVE-2022-24086 if a vulnerable version is found.
02/17/2022: On February 16, 2022, Alert Logic released IDS telemetry signatures to aid in detection research.
02/22/2022: Since the initial announcement of CVE-2022-24086, a related vulnerability has been added – CVE-2022-24087. Adobe has now released patches for both vulnerabilities. If you originally patched before February 17, 2022, you may need to apply an additional patch to address CVE-2022-24087. This article has been updated to include CVE-2022-24087 and the additional patch recommendation.
Comments
2 comments
On February 15, 2022, by 20:00 CDT, Alert Logic released scan coverage to identify this vulnerability. A scan performed after this release will check for the version of Magento, and an exposure will be raised in the Alert Logic console for CVE-2022-24086 if a vulnerable version is found.
Since the initial announcement of CVE-2022-24086, a related vulnerability has been added – CVE-2022-24087. Adobe has now released patches for both vulnerabilities. If you originally patched before February 17, 2022, you may need to apply an additional patch to address CVE-2022-24087. This article has been updated to include CVE-2022-24087 and the additional patch recommendation.
Please sign in to leave a comment.