It was recently revealed that there’s a serious security vulnerability affecting Adobe and Magento stores, and the community has been rife with conversation and concern. In our latest blog post, we outline the issue and provide you the module you need to ensure your sites are secure.  

What’s the issue?

There’s currently an active Adobe Commerce Magento security issue that’s impacting all stores without an updated patch. This vulnerability means that keys remain static which can leave merchant’s APIs exposed to attacks.

To fix this issue, Adobe recommends that you rotate your encryption keys, however the Adobe system doesn’t currently support that. Which is where our module comes in.

Who is affected?

The vulnerability impacts the following products and versions; Adobe Commerce on Cloud, Adobe Commerce on-premise, and Magento Open Source, including versions:2.4.7 and earlier2.4.6-p5 and earlier2.4.5-p7 and earlier2.4.4-p8 and earlier.

The solution: GENE’s Encryption Key Manager Module

As part of patching and securing all our existing clients, our industry leading tech team have created a module which will help you mitigate against the immediate threat, as well providing guidance and additional tooling to assist with the process.

We’re making the module and supporting content available for free to the community. Further information can be found here, via GitHub

Crucially, our module includes the ability to cycle your encryption key, because even if your store is fully patched and secured, there is the chance that a JWT was issued and may still be valid. Additionally, the Magento process of generating a new encryption key does not actually invalidate the old one, meaning the issues still need to be addressed.

This module also fixes an issue where every sales_order_payment entry was updated during the key generation process. On large stores this could take a long time. Now only necessary entries with saved card information are updated.

We’ve also fixed two vanilla Magento issues with the module:

• Security. When magento generates a new encryption key it still allows the old one to be used with JWTs. This module prevents that.

• Performance. When magento generates a new encryption key, it causes the product media cache hash to change. This causes all product media to regenerate which takes a lot of processing time which can slow down page loads for your customers, as well as consuming extra disk space. This module ensures the old hash is still used for the media gallery.

  
  

As well as providing these fixes there is also additional CLI tooling to help you review, and eventually invalidate your old keys.

It’s important to note that this module is provided as-is without any warranty. Before releasing please do test this on your local instances, then staging, then production. Use at your own risk.

Still struggling and need help from a Commerce Certified Adobe/Magento agency?