Updated Jan 12, 2023

Created Apr 19, 2022

How to install Magento patch MDVA-49935 for critical vulnerabilty APSB22-12 (CVE-2022-24086 and CVE-2022-24087)

UPDATE: On Friday February 18th, 2022, Adobe releases yet another emergency patch for Magento 2 to fix another unauthenticated remote code execution vulnerability with CVSS score of 9.8. Please follow this article to see what needs to be done to keep your application secure.

On Sunday February 13th, 2022, Adobe released an emergency patch for Magento 2, to fix a critical vulnerability in Magento 2.3 and 2.4. This vulnerability has a CVSS score of 9.8, as it allows unauthenticated remote code execution, meaning hackers could use this vulnerability to get complete control of your webshop. We highly advise all customers to install the patch as soon as possible, to prevent this.

What should you do

Adobe released a patch for this critical vulnerability, called APSB22-12. The vulnerability is critical for Magento versions 2.3.3-p1 - 2.3.7-p2 and 2.4.0 - 2.4.3-p1. Successful exploitation could lead to remote code execution. By installing the MDVA-49935 patch you can resolve this critical vulnerability.

How to Install the Patch

You could follow the regular patch instructions on the Adobe Website. If you can’t fix this yourself please contact one of our partners so they can help you installing the patch. We also took a little effort to make the patching process low-effort, if you’re into that.

Please check your Magento application version. This can be done by running the command bin/magento --version. If your Magento version is between one of the version ranges below, then please follow those instructions. Also check if your Magento application is installed using Composer or not to see which variations need to be run.

Magento 2.4.3 - 2.4.3-p1

# If your Magento application is installed with Composer
curl https://magento.mirror.hypernode.com/releases/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch -o patch_mdva_43395.patch
curl https://magento.mirror.hypernode.com/releases/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch -o patch_mdva_43443.patch
patch -N -n -r- -p1 < patch_mdva_43395.patch
patch -N -n -r- -p1 < patch_mdva_43443.patch

# If your Magento application is installed without Composer
curl https://magento.mirror.hypernode.com/releases/MDVA-43395_EE_2.4.3-p1_v1.patch -o patch_mdva_43395.patch
curl https://magento.mirror.hypernode.com/releases/MDVA-43443_EE_2.4.3-p1_v1.patch -o patch_mdva_43443.patch
patch -N -n -r- -p1 < patch_mdva_43395.patch
patch -N -n -r- -p1 < patch_mdva_43443.patch

Magento 2.3.4-p2 - 2.4.2-p2

# If your Magento application is installed with Composer
curl https://magento.mirror.hypernode.com/releases/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch -o patch_mdva_43395.patch
curl https://magento.mirror.hypernode.com/releases/MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch -o patch_mdva_43443.patch
patch -N -n -r- -p1 < patch_mdva_43395.patch
patch -N -n -r- -p1 < patch_mdva_43443.patch

# If your Magento application is installed without Composer
curl https://magento.mirror.hypernode.com/releases/MDVA-43395_EE_2.4.3-p1_v1.patch -o patch_mdva_43395.patch
curl https://magento.mirror.hypernode.com/releases/MDVA-43443_EE_2.4.2-p2_v1.patch -o patch_mdva_43443.patch
patch -N -n -r- -p1 < patch_mdva_43395.patch
patch -N -n -r- -p1 < patch_mdva_43443.patch

Magento 2.3.3-p1 - 2.3.4

# If your Magento application is installed with Composer
curl https://magento.mirror.hypernode.com/releases/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch -o patch_mdva_43395.patch
curl https://magento.mirror.hypernode.com/releases/MDVA-43443_EE_2.3.4_COMPOSER_v1.patch -o patch_mdva_43443.patch
patch -N -n -r- -p1 < patch_mdva_43395.patch
patch -N -n -r- -p1 < patch_mdva_43443.patch

# If your Magento application is installed without Composer
curl https://magento.mirror.hypernode.com/releases/MDVA-43395_EE_2.4.3-p1_v1.patch -o patch_mdva_43395.patch
curl https://magento.mirror.hypernode.com/releases/MDVA-43443_EE_2.3.4_v1.patch -o patch_mdva_43443.patch
patch -N -n -r- -p1 < patch_mdva_43395.patch
patch -N -n -r- -p1 < patch_mdva_43443.patch

Workaround if you are unable to patch

If you are unable to install this patch right away, you have the option to install a temporary workaround to block any payloads. Please note that this workaround will have NEGATIVE side effects. It may block legitimate traffic and requests, and could block API calls or administrative requests. You install this workaround at your own risk. Be sure to test all the important actions and workflows in your shop after installing this workaround.

**Only use this code if you are unable to install the patch.**Even installing this patch manually, by reading the code and modifying the core files, is a better solution than installing this workaround.

To install the workaround, create a file named /data/web/nginx/server.CVE-2022-24086, and paste the following content into this file

# LUA block to detect, block and log CVE-2022-24086 payloads.
# v1.0 - Cipriano Groenendal - Hypernode B.V. (C) - 20220214
rewrite_by_lua_block {

        ngx.req.read_body()
        local req_body = ngx.req.get_body_data()

        if req_body then
                local m, err = ngx.re.match(req_body, "(%7B|{){2}.*(%7D|}){2}")
                if m then
                        ngx.log(ngx.ERR, 'Found potential CVE-2022-24086 attack in body data')
                        ngx.exit(ngx.HTTP_BAD_REQUEST )
                end
        end
}

The workaround will become active the moment you save the file. Please ensure you remove the workaround again, after you have installed the patches.

What we are doing to protect you

While Adobe has seen this vulnerability exploited on a small scale in the wild, no exploits are known yet to either us, or our (security) partners. Because of this we are unable to install a defensive patch on the server at this time. We are however deploying scanners to all Hypernodes to attempt to detect and block any potential abuse of this vulnerability, and plan to roll out defensive patches once an exploit payload becomes available.