Adobe announced a critical vulnerability affecting Adobe Commerce and Magento Open Source. Adobe Commerce merchants have been attacked and the exploitation of the vulnerability is in the wild right now.
An important detail of the vulnerability that Adobe shared is that no authentication is necessary in order to successfully execute a successful exploitation.
That means that an attacker doesn’t need to acquire a user login privilege in order to exploit the vulnerability.
The second detail about this exploit that Adobe shared is that admin privileges are not necessary for exploiting this vulnerability.
Adobe Vulnerability Ratings
Adobe published three rating metrics for vulnerabilities:
- Common Vulnerability Scoring System (CVSS)
- Priority
- Vulnerability Level
Common Vulnerability Scoring System (CVSS)
The Common Vulnerability Scoring System (CVSS) is an open standard developed by a non-profit (First.org) that is based on a scale of 1 to 10 to score vulnerabilities.
A score of one is the least concerning and a score of ten is the highest level of severity of a vulnerability.
The CVSS score for the Adobe Commerce and Magento vulnerability is 9.8.
Vulnerability Priority Level
The priority metric has three levels, 1, 2, and 3. Level 1 is the most serious and level three is the least serious.
Adobe has listed the priority level of this exploit as 1, which is the highest level.
Level 1 priority level means that the the vulnerabilities are being actively exploited in websites.
This is the worst-case scenario for merchants because it means that unpatched instances of Adobe Commerce and Magento are vulnerable to being hacked.
Adobe’s definition of Priority Level 1 is:
“This update resolves vulnerabilities being targeted, or which have a higher risk of being targeted, by exploit(s) in the wild for a given product version and platform.
Adobe recommends administrators install the update as soon as possible. (for example, within 72 hours).”
Vulnerability Level
Adobe’s vulnerability levels are named moderate, important and critical, with critical representing the most dangerous level.
The vulnerability level assigned to the Adobe Commerce and Magento Open source exploit is rated as critical, which is the most dangerous rating level.
Adobe’s definition of the critical rating level is:
“A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.”
Arbitrary Code Execution Exploit
What makes this vulnerability especially worrying is the fact that Adobe admitted it’s an Arbitrary Code Execution vulnerability.
Arbitrary code execution generally means that the kind of code that can be run by an attacker is not limited in scope but is wide open to essentially any code they want in order to execute nearly whatever task or command they wish.
An arbitrary code execution vulnerability is a highly serious type of attack.
Which Versions Are Affected
Adobe announced that an update patch was published to fix the affected versions of its software.
The update release notes stated:
“The patches were tested to resolve the issue for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.”
The main vulnerability announcement stated that Adobe Commerce versions 2.3.3 and lower are not affected.https://helpx.adobe.com/security/products/magento/apsb22-12.html
Adobe recommends that users of the affected software update their installations immediately.
Citations
Read the Adobe Security Bulletin
Security update available for Adobe Commerce | APSB22-12
Read the Adobe Commerce and Magento Open Source Patch Release Notes
Security updates available for Adobe Commerce APSB22-12