Adobe Commerce Adobe Commerce Patch Roundup: What’s New and Important Posted on 9th September, 2024 Adobe is committed to striking the perfect balance between delivering seamless product upgrades and rolling out new features swiftly for early adopters. Their versioning policy ensures a predictable schedule for announcing major new features throughout the year. While these key updates are planned periodically, Adobe also consistently enhances its extensibility tools, infrastructure, and SaaS products on an ongoing basis. Regular patch releases for the Adobe Commerce PHP application are essential for maintaining a secure, reliable, and high-performing platform. These patches provide critical updates to the core codebase, ensuring your store remains protected against vulnerabilities. Meanwhile, new features are delivered independently through modules, extensions, tools, or web services, allowing for continuous innovation without disrupting the core functionality. In this blog post, we’ll explore why staying on top of Adobe Commerce patches is essential for your online store and how timely reminders can help you keep your platform at its best. How Patches work Keeping your Adobe Commerce store updated with the latest patches is crucial for maintaining security, performance, and reliability. But how exactly do these patches work? Let’s break it down. Understanding Patch Files Patch files, often referred to as “diff” files, are text files that contain specific instructions for modifying existing code. Each patch file typically includes: The file(s) to be changed. The line number where the change begins and the number of lines to be modified. The new code that will replace the old code. When you run a patch program, it reads the patch file and applies the specified changes to the relevant files. This process ensures that your software is updated precisely and efficiently. Types of Patches There are three main types of patches in Adobe Commerce: Hotfixes Individual Patches Custom Patches Hotfixes Hotfixes are critical patches that address high-impact security or quality issues affecting many merchants. These fixes are promptly released by Adobe and incorporated into the next patch release for the relevant minor version. You can find hotfixes in the Adobe Security Center. To apply a hotfix, download the patch file from the Security Center according to your version and installation type, then use the command line or Composer to implement it. Be aware that hotfixes can sometimes introduce backward-incompatible changes, so thorough testing is recommended. Individual Patches Individual patches are designed to address specific, low-impact quality issues. These patches are applied to the most recently supported minor version (e.g., 2.4.x) but might not be available for previous versions (e.g., 2.3.x). Adobe releases individual patches as needed. You can apply individual patches using the Quality Patches Tool. Unlike hotfixes, individual patches do not include backward-incompatible changes, making them easier to implement without disrupting your current setup. Custom Patches Sometimes, fixes made on GitHub take a while to be included in an official Adobe Commerce release. In such cases, you can create custom patches from known git commits and apply them to your installation using the cweagans/composer-patches plugin. Here’s how you can create and apply a custom patch: Identify the specific commit on GitHub that addresses your issue. Create a patch file from this commit. Use the command line or Composer to apply the custom patch to your Composer-based installation. Custom patches offer flexibility and a quick solution for urgent bug fixes that haven’t yet been officially released by Adobe. For a detailed guide on how to apply patches, visit this link. Recent Security Updates On June 11, 2024, Adobe released a crucial security update for Adobe Commerce, Magento Open Source, and the Adobe Commerce Webhooks Plugin. This update addresses critical and important vulnerabilities that could lead to arbitrary code execution, security feature bypass, and privilege escalation if successfully exploited. Notably, Adobe has identified that CVE-2024-34102 has been actively exploited in the wild, targeting Adobe Commerce merchants. Affected Versions The following versions are impacted and require immediate attention: Adobe Commerce; 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, 2.4.4-p8 and earlier, 2.4.3-ext-7 and earlier*, 2.4.2-ext-7 and earlier* Magento Open Source; 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, 2.4.4-p8 and earlier Adobe Commerce Webhooks Plugin: 1.2.0 to 1.4.0 (*These versions apply to customers in the Extended Support Program.) Solution Adobe strongly recommends updating to the latest versions to mitigate these vulnerabilities. The updates have been categorised with the highest priority rating. Here are the updated versions you should install: Adobe Commerce: 2.4.7-p1 for 2.4.7 and earlier 2.4.6-p6 for 2.4.6-p5 and earlier 2.4.5-p8 for 2.4.5-p7 and earlier 2.4.4-p9 for 2.4.4-p8 and earlier 2.4.3-ext-8 for 2.4.3-ext-7 and earlier* 2.4.2-ext-8 for 2.4.2-ext-7 and earlier* Magento Open Source: 2.4.7-p1 for 2.4.7 and earlier 2.4.6-p6 for 2.4.6-p5 and earlier 2.4.5-p8 for 2.4.5-p7 and earlier 2.4.4-p9 for 2.4.4-p8 and earlier Adobe Commerce Webhooks Plugin: 1.5.0 Additionally, there is an isolated patch for CVE-2024-34102 (ACSD-60241), compatible with all Adobe Commerce and Magento Open Source versions between 2.4.4 and 2.4.7. Vulnerability Details Here’s a summary of the vulnerabilities addressed in this update: Server-Side Request Forgery (SSRF) (CWE-918): Critical, allows arbitrary code execution (CVE-2024-34111). Improper Restriction of XML External Entity Reference (XXE) (CWE-611): Critical, allows arbitrary code execution, actively exploited in the wild (CVE-2024-34102). Improper Authentication (CWE-287): Critical, leads to privilege escalation (CVE-2024-34103). Improper Authorization (CWE-285): Critical, results in security feature bypass (CVE-2024-34104). Improper Input Validation (CWE-20): Critical, allows arbitrary code execution (CVE-2024-34108, CVE-2024-34109, CVE-2024-34110). Cross-site Scripting (Stored XSS) (CWE-79): Important, leads to arbitrary code execution (CVE-2024-34105). Improper Authentication (CWE-287): Important, results in security feature bypass (CVE-2024-34106). Improper Access Control (CWE-284): Important, leads to security feature bypass (CVE-2024-34106). Ensuring your Adobe Commerce and Magento Open Source platforms are up-to-date with these patches is critical to maintaining a secure, reliable, and high-performing online store. Regular patching not only protects against vulnerabilities but also helps to uphold the integrity and trustworthiness of your e-commerce platform. Stay vigilant and prioritise these updates to safeguard your business against potential threats. Critical Security Update: Fix Adobe/Magento Vulnerabilities with Our Module There is currently an active Adobe Commerce Magento security issue affecting all stores without the latest patch. This vulnerability leaves merchant APIs exposed due to static encryption keys. To address this, Adobe recommends rotating your encryption keys, but the system currently lacks support for this process. Our industry-leading tech team has developed a module to mitigate this immediate threat, providing guidance and additional tools to assist with the process. We are offering this module and supporting content for free to the community. Further information can be found on GitHub. Crucially, our module includes the ability to cycle your encryption key. This is important because, even if your store is fully patched, a previously issued JWT might still be valid. Additionally, Magento’s process of generating a new encryption key does not invalidate the old one, leaving potential issues unresolved. Our module also resolves an issue where every sales_order_payment entry was updated during the key generation process, which could be time-consuming for large stores. Now, only necessary entries with saved card information are updated. For more information on our latest module, visit this link or alternatively get in touch via the link below.