Adobe has released security updates for both Adobe Commerce and Magento Open Source. In their Security Bulletin, Adobe has shared that a critical vulnerability had been found. If exploited successfully, it could lead to arbitrary code execution. 

It is important for businesses running these platforms to install the patches as soon as possible, in order to prevent any unwarranted access to data. 

Following the recommendations of Adobe as well as our internal guidelines and processes, here is in brief what we do to secure the online presences of our clients.

The Adobe Commerce and Magento Open Source patches

Firstly, two Adobe and Magento patches must be applied: MDVA-43395 patch first, and then MDVA-43443 after that

Note that the following versions are affected and contain the above mentioned vulnerability. 

Adobe Commerce

2.4.3-p1 and earlier versions (all platforms)

2.3.7-p2 and earlier versions (all platforms)

Magento Open Source

2.4.3-p1 and earlier versions (all platforms)  

2.3.7-p2 and earlier versions (all platforms)

It is advisable to follow Adobe’s recomendation and update the installation:

In the case of Adobe Commerce (all platforms)

  • For Adobe Commerce 2.4.3 – 2.4.3-p1:

In case you use composer and have Magento core inside the vendor folder, then you should apply MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip patches.

On the other hand, if you don’t use composer and you have Magento core inside app/code folder, then you should apply MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_v1.patch.zip patches.

  • For Adobe Commerce 2.3.4-p2 – 2.4.2-p2: 

If you use composer and have Magento core inside the vendor folder, then you should apply MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip patches.

Nevertheless, if you don’t use composer and you have Magento core inside app/code folder, then you should apply MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_v1.patch.zip patches.

  • For Adobe Commerce 2.3.3-p1 – 2.3.4:

When using composer and having Magento core inside the vendor folder, then the MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip patches should be applied.

However, if you don’t use composer and you have Magento core inside app/code folder, then you should apply MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.3.4_v1.patch.zip patches.

In the case of Magento Open Source (all platforms)

Adobe recommends installing the following patches in the case of Magento:

  • For Magento Open Source 2.4.3 – 2.4.3-p1:

In these versions of Magento, if you are using composer and have Magento core inside the vendor folder, then you should apply MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch.zip patches.

Contrarily to the previous, point, if you don’t use composer and you have Magento core inside app/code folder, then you should apply MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.3-p1_v1.patch.zip patches.

  • For Magento Open Source 2.3.4-p2 – 2.4.2-p2:

In the case that you are using composer and have Magento core inside the vendor folder, then you should apply MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip patches.

Anyhow, if you don’t use composer and you have Magento core inside app/code folder, then you should apply MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.4.2-p2_v1.patch.zip patches.

  • For Magento Open Source 2.3.3-p1 – 2.3.4:

If your situation is that you use composer and have Magento core inside the vendor folder, then you should apply MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch.zip and MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip patches.

Not using composer and you having Magento core inside app/code folder, means you should apply MDVA-43395_EE_2.4.3-p1_v1.patch.zip and MDVA-43443_EE_2.3.4_v1.patch.zip patches.

At Interactiv4, we embed security patches inside our Interactiv4 modules. This way we get more control over the application of each security patch. 

In addition, we analyze and adapt Magento security patches to Magento versions that are not supported officially any more.

Patches Interactiv4

For the moment, we have also fully applied the patch to 2.3.6, 2.3.7, 2.4.2 and 2.4.3 to Magento Open Source versions. And, the patch was partially applied (the entire patch was not completely compatible) to 2.2.8 and 2.3.2 Magento Open Source versions. 

It has been also identified recently that the last patch breaks transactional email styles embedded inside the templates. Despite this issue, our recommendation is still to apply the patch and stay secure while this issue is being addressed. 

It is crucial that these recommendations are followed in order to prevent any potentially unwarranted external access to your business. 

Should you need our services, or have any other questions about these patches or security-related issues, get in touch with our team. We are happy to help.