
Fix the critical Adobe/Magento security vulnerability with our latest module
Adobe is committed to striking the perfect balance between delivering seamless product upgrades and rolling out new features swiftly for early adopters. Their versioning policy ensures a predictable schedule for announcing major new features throughout the year. While these key updates are planned periodically, Adobe also consistently enhances its extensibility tools, infrastructure, and SaaS products on an ongoing basis.
It was recently revealed that there’s a serious security vulnerability affecting Adobe and Magento stores, and the community has been rife with conversation and concern. In our latest blog post, we outline the issue and provide you the module you need to ensure your sites are secure.
What’s the issue?
There’s currently an active Adobe Commerce Magento security issue that’s impacting all stores without an updated patch. This vulnerability means that keys remain static which can leave merchant’s APIs exposed to attacks.
To fix this issue, Adobe recommends that you rotate your encryption keys, however the Adobe system doesn’t currently support that. Which is where our module comes in.
Who is affected?
The vulnerability impacts the following products and versions; Adobe Commerce on Cloud, Adobe Commerce on-premise, and Magento Open Source, including versions:2.4.7 and earlier2.4.6-p5 and earlier2.4.5-p7 and earlier2.4.4-p8 and earlier.
The solution: GENE’s Encryption Key Manager Module
As part of patching and securing all our existing clients, our industry leading tech team have created a module which will help you mitigate against the immediate threat, as well providing guidance and additional tooling to assist with the process.
We’re making the module and supporting content available for free to the community. Further information can be found here, via GitHub
Crucially, our module includes the ability to cycle your encryption key, because even if your store is fully patched and secured, there is the chance that a JWT was issued and may still be valid. Additionally, the Magento process of generating a new encryption key does not actually invalidate the old one, meaning the issues still need to be addressed.
This module also fixes an issue where every sales_order_payment entry was updated during the key generation process. On large stores this could take a long time. Now only necessary entries with saved card information are updated.
We’ve also fixed two vanilla Magento issues with the module:
Security. When magento generates a new encryption key it still allows the old one to be used with JWTs. This module prevents that.
Performance. When magento generates a new encryption key, it causes the product media cache hash to change. This causes all product media to regenerate which takes a lot of processing time which can slow down page loads for your customers, as well as consuming extra disk space. This module ensures the old hash is still used for the media gallery.
As well as providing these fixes there is also additional CLI tooling to help you review, and eventually invalidate your old keys.
It’s important to note that this module is provided as-is without any warranty. Before releasing please do test this on your local instances, then staging, then production. Use at your own risk.
Still struggling and need help from a Commerce Certified Adobe/Magento agency?
Author
Gene Splicer
Part strategist, part scientist, all in on eCommerce evolution. Gene Splicer spends their time dissecting data, stitching together insight, and engineering smarter ways to grow online. Occasionally seen muttering about Level 5 in the wild.