Fix the critical Adobe/Magento security vulnerability with our latest module

It was recently revealed that there’s a serious security vulnerability affecting Adobe and Magento stores, and the community has been rife with conversation and concern. In our latest blog post, we outline the issue and provide you the module you need to ensure your sites are secure.

What’s the issue?

There’s currently an active Adobe Commerce Magento security issue that’s impacting all stores without an updated patch. This vulnerability means that keys remain static which can leave merchant’s APIs exposed to attacks.
To fix this issue, Adobe recommends that you rotate your encryption keys, however the Adobe system doesn’t currently support that. Which is where our module comes in.

Who is affected?

The vulnerability impacts the following products and versions; Adobe Commerce on Cloud, Adobe Commerce on-premise, and Magento Open Source, including versions:

2.4.7 and earlier
2.4.6-p5 and earlier
2.4.5-p7 and earlier
2.4.4-p8 and earlier

The solution: GENE’s Encryption Key Manager Module

As part of patching and securing all our existing clients, our industry leading tech team have created a module which will help you mitigate against the immediate threat, as well providing guidance and additional tooling to assist with the process.

We’re making the module and supporting content available for free to the community. Further information can be found here, via GitHub

Crucially, our module includes the ability to cycle your encryption key, because even if your store is fully patched and secured, there is the chance that a JWT was issued and may still be valid. Additionally, the Magento process of generating a new encryption key does not actually invalidate the old one, meaning the issues still need to be addressed.

This module also fixes an issue where every sales_order_payment entry was updated during the key generation process. On large stores this could take a long time. Now only necessary entries with saved card information are updated.

We’ve also fixed two vanilla Magento issues with the module:

Security. When magento generates a new encryption key it still allows the old one to be used with JWTs. This module prevents that.
Performance. When magento generates a new encryption key, it causes the product media cache hash to change. This causes all product media to regenerate which takes a lot of processing time which can slow down page loads for your customers, as well as consuming extra disk space. This module ensures the old hash is still used for the media gallery.

As well as providing these fixes there is also additional CLI tooling to help you review, and eventually invalidate your old keys.

It’s important to note that this module is provided as-is without any warranty. Before releasing please do test this on your local instances, then staging, then production. Use at your own risk.

Still struggling and need help from a Commerce Certified Adobe/Magento agency? Get in touch: [email protected]

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_43416629_1	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

About GENE

Our Services

People Also Ask

Our culture

Fix the critical Adobe/Magento security vulnerability with our latest module

Other blog topics

Interested? Let's talk!