Understanding the Security Vulnerability (CVE-2024-34102)
The security patches we’re applying address a critical vulnerability known as CVE-2024-34102. This vulnerability affects Adobe Commerce (Magento) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. Let’s break down what this vulnerability means and why it’s crucial to patch:
What is the vulnerability?
The vulnerability is classified as an “Improper Restriction of XML External Entity Reference” or XXE vulnerability. This is a type of security flaw that can occur in applications that parse XML input.
How serious is it?
This vulnerability is considered critical because:
- It could result in arbitrary code execution, meaning an attacker could potentially run any code they want on your server.
- It doesn’t require user interaction to be exploited, making it particularly dangerous.
How could it be exploited?
An attacker could exploit this vulnerability by sending a specially crafted XML document to the affected Magento system. This document would contain references to external entities, which, if processed incorrectly, could lead to:
- Disclosure of confidential data
- Denial of service
- Server-side request forgery (SSRF)
- Port scanning from the perspective of the machine where the parser is located
- And in the worst case, remote code execution
What are the patches doing?
The patches we’re applying make several key changes:
- They add additional validation in the
ServiceInputProcessor
class to prevent processing of potentially dangerous XML element types. - They update various theme files to include a new translation for “Invalid data type”, which is used in error messages related to this new validation.
- They modify the
SecretBasedJwksFactory
class to enhance key handling, which may be related to improving overall security in token generation and validation.
Why is immediate patching important?
Given that this vulnerability:
- Affects multiple versions of Magento
- Can lead to arbitrary code execution
- Doesn’t require user interaction to exploit
It’s crucial to apply these patches as soon as possible. Leaving your system unpatched could expose your e-commerce platform to serious security risks, potentially compromising your data, your customers’ data, and the integrity of your entire system.
By applying these patches, you’re taking a critical step in protecting your Magento installation from this serious security threat. Remember, keeping your e-commerce platform updated and secure is not just a technical necessity, but a responsibility to your business and your customers.
Applying Security Patches to Magento 2.4.7
In this article, we’ll discuss how to apply security patches for the VULN-27015 vulnerability to various Magento 2.4.7 components. We’ll create separate patch files for each affected component and explain how to apply them using Composer.
Preparing Your Magento Installation for Patching
First make sure you have a backup of your files and your database !
While there’s a quick way to patch your website, it’s crucial to understand the limitations and risks associated with different patching methods.
Quick but Temporary Fix
You can download the full patch file for Magento 2.4.7 and execute it in your website’s root directory. This method will apply the security fixes immediately. However, it comes with a significant drawback:
⚠️ Warning: This quick-fix approach is temporary. The patches will be deleted in your next deployment, leaving your website vulnerable again.
Recommended: Composer Method
For a permanent solution that survives deployments, we strongly recommend using the Composer method detailed in this blog post. This approach ensures that:
- Patches are applied consistently across all environments.
- Security fixes remain in place even after deployments or updates.
- You have better control and visibility of applied patches.
Version-Specific Considerations
🔍 Important: The patches and instructions in this blog post are specifically for Magento 2.4.7. If you’re running a different version of Magento, you’ll need to:
- Obtain the correct patch files for your specific Magento version.
- Adjust the file paths and patch contents accordingly.
- Follow the same general process outlined in this article, but with your version-specific patches.
Use this blog post as a guide to understand the patching process, but ensure you’re working with patches that match your Magento version.
Remember, maintaining the security of your e-commerce platform is an ongoing process. Always stay informed about the latest security updates and best practices for your specific Magento version.
You can download the patch that correspond to your Magento version directly on Adobe’s website on this page : https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102
Here are the versions supported : 2.4.7, 2.4.7-p1, 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9.
Previous Magento versions are no longer maintained and I highy advise you to upgrade your Magento store to stay safe.
Before we apply the security patches, we need to ensure that our Magento installation is properly set up to handle composer patches. Follow these steps:
1. Add the Composer Patches Plugin
First, we need to add the cweagans/composer-patches
plugin to our project. This plugin allows Composer to apply patches during the update or install process. Run the following command in your Magento root directory:
composer require cweagans/composer-patches
2. Create a Patches Directory
Next, we need to create a directory to store our patch files. In your Magento root directory, create a new folder called patches
:
mkdir patches
3. Place Patch Files
Now, place all the patch files we created earlier directly into the patches
directory. Your directory structure should look like this:
magento-root/
├── patches/
│ ├── VULN-27015-2.4.7x_v2-theme-adminhtml-backend.composer.patch
│ ├── VULN-27015-2.4.7x_v2-theme-frontend-blank.composer.patch
│ ├── VULN-27015-2.4.7x_v2-theme-frontend-luma.composer.patch
│ ├── VULN-27015-2.4.7x_v2-framework.composer.patch
│ └── VULN-27015-2.4.7x_v2-module-jwt-user-token.composer.patch
├── composer.json
└── ... (other Magento files and directories)
4. Magento Admin Theme Patch
Create a file named VULN-27015-2.4.7x_v2-theme-adminhtml-backend.composer.patch
with the following content:
diff --git a/i18n/en_US.csv b/i18n/en_US.csv
index 2708988e731..885d0056d4b 100644
--- a/i18n/en_US.csv
+++ b/i18n/en_US.csv
@@ -547,3 +547,4 @@ Dashboard,Dashboard
"Web Section","Web Section"
"Store Email Addresses Section","Store Email Addresses Section"
"Email to a Friend","Email to a Friend"
+"Invalid data type","Invalid data type"
5. Magento Blank Theme Patch
Create a file named VULN-27015-2.4.7x_v2-theme-frontend-blank.composer.patch
with the following content:
diff --git a/i18n/en_US.csv b/i18n/en_US.csv
index 025866f654d..cc02ab5ac90 100644
--- a/i18n/en_US.csv
+++ b/i18n/en_US.csv
@@ -439,3 +439,4 @@ Summary,Summary
Test,Test
test,test
Two,Two
+"Invalid data type","Invalid data type"
6. Magento Luma Theme Patch
Create a file named VULN-27015-2.4.7x_v2-theme-frontend-luma.composer.patch
with the following content:
diff --git a/i18n/en_US.csv b/i18n/en_US.csv
index e80cb58e679..3d0e8ab2650 100644
--- a/i18n/en_US.csv
+++ b/i18n/en_US.csv
@@ -489,3 +489,4 @@ Remove,Remove
Test,Test
test,test
Two,Two
+"Invalid data type","Invalid data type"
7. Magento Framework Patch
Create a file named VULN-27015-2.4.7x_v2-framework.composer.patch
with the following content:
diff --git a/Webapi/ServiceInputProcessor.php b/Webapi/ServiceInputProcessor.php
index cd7960409e1..df31058ff32 100644
--- a/Webapi/ServiceInputProcessor.php
+++ b/Webapi/ServiceInputProcessor.php
@@ -278,6 +278,12 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface, ResetAf
// convert to string directly to avoid situations when $className is object
// which implements __toString method like \ReflectionObject
$className = (string) $className;
+ if (is_subclass_of($className, \SimpleXMLElement::class)
+ || is_subclass_of($className, \DOMElement::class)) {
+ throw new SerializationException(
+ new Phrase('Invalid data type')
+ );
+ }
$class = new ClassReflection($className);
if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) {
$className = substr($className, 0, -strlen('Interface'));
8. Magento JWT User Token Module Patch
Create a file named VULN-27015-2.4.7x_v2-module-jwt-user-token.composer.patch
with the following content:
diff --git a/Model/SecretBasedJwksFactory.php b/Model/SecretBasedJwksFactory.php
--- a/Model/SecretBasedJwksFactory.php (revision 022e64b08a88658667bc2d6b922eada2b7910965)
+++ b/Model/SecretBasedJwksFactory.php (revision 8d2b0c1c6b421cdcd7f62a48a5edc9b0211d92a2)
@@ -35,6 +35,7 @@
public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkFactory)
{
$this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key')));
+ $this->keys = [end($this->keys)];
//Making sure keys are large enough.
foreach ($this->keys as &$key) {
$key = str_pad($key, 2048, '&', STR_PAD_BOTH);
Applying the Patches
To apply these patches using Composer, update your composer.json
file with the following configuration:
"extra": {
"magento-force": "override",
"composer-exit-on-patch-failure": true,
"patches": {
"magento/theme-adminhtml-backend": {
"VULN-27015: Add 'Invalid data type' translation to backend theme": "patches/VULN-27015-2.4.7x_v2-theme-adminhtml-backend.composer.patch"
},
"magento/theme-frontend-blank": {
"VULN-27015: Add 'Invalid data type' translation to blank theme": "patches/VULN-27015-2.4.7x_v2-theme-frontend-blank.composer.patch"
},
"magento/theme-frontend-luma": {
"VULN-27015: Add 'Invalid data type' translation in Luma theme": "patches/VULN-27015-2.4.7x_v2-theme-frontend-luma-.composer.patch"
},
"magento/framework": {
"VULN-27015: Update ServiceInputProcessor for improved type checking": "patches/VULN-27015-2.4.7x_v2-framework.composer.patch"
},
"magento/module-jwt-user-token": {
"VULN-27015: Enhance SecretBasedJwksFactory for better key handling": "patches/VULN-27015-2.4.7x_v2-module-jwt-user-token.composer.patch"
}
}
}
After updating your composer.json
, run the following command to apply the patches:
composer update
This will apply all the security patches to their respective components in your Magento 2.4.7 installation.
Rotating your encryption keys
Now that you have applied the patch, you absolutely need the generate a new encryption key otherwise you website will still be vulnerable.
Here is how you do it :
Head over to System => Other Settings => Manage Encryption Keys
Choose your preferred method for key generation:
- Automatic Key Creation:
- Set the Auto-generate Key option to
Yes
if you want a new key to be generated for you.
- Set the Auto-generate Key option to
- Manual Key Input:
- If you have a specific key you’d like to use, set Auto-generate Key to
No
. - Then, enter or paste your desired key into the New Key field.
- If you have a specific key you’d like to use, set Auto-generate Key to
Select the approach that best suits your needs for key management.
This will edit your app/etc/env.php file so make sure it is writable ! Keep the new generated encryption key safe, you might need it later, and you can always find it in your env.php file.
One last step !
Head over to Luke Rodgers‘s extension https://github.com/genecommerce/module-encryption-key-manager in order to completely secure your website.
Many thanks to Peter Jaap Blaakmeer.
See you soon Magestronautes !