Critical Security Update: Patching CVE-2024-34102 (CosmicSting) on Magento, Adobe Commerce

Understanding the Security Vulnerability (CVE-2024-34102)

The security patches we’re applying address a critical vulnerability known as CVE-2024-34102. This vulnerability affects Adobe Commerce (Magento) versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8, and earlier. Let’s break down what this vulnerability means and why it’s crucial to patch:

What is the vulnerability?

The vulnerability is classified as an “Improper Restriction of XML External Entity Reference” or XXE vulnerability. This is a type of security flaw that can occur in applications that parse XML input.

How serious is it?

This vulnerability is considered critical because:

  1. It could result in arbitrary code execution, meaning an attacker could potentially run any code they want on your server.
  2. It doesn’t require user interaction to be exploited, making it particularly dangerous.

How could it be exploited?

An attacker could exploit this vulnerability by sending a specially crafted XML document to the affected Magento system. This document would contain references to external entities, which, if processed incorrectly, could lead to:

  1. Disclosure of confidential data
  2. Denial of service
  3. Server-side request forgery (SSRF)
  4. Port scanning from the perspective of the machine where the parser is located
  5. And in the worst case, remote code execution

What are the patches doing?

The patches we’re applying make several key changes:

  1. They add additional validation in the ServiceInputProcessor class to prevent processing of potentially dangerous XML element types.
  2. They update various theme files to include a new translation for “Invalid data type”, which is used in error messages related to this new validation.
  3. They modify the SecretBasedJwksFactory class to enhance key handling, which may be related to improving overall security in token generation and validation.

Why is immediate patching important?

Given that this vulnerability:

  1. Affects multiple versions of Magento
  2. Can lead to arbitrary code execution
  3. Doesn’t require user interaction to exploit

It’s crucial to apply these patches as soon as possible. Leaving your system unpatched could expose your e-commerce platform to serious security risks, potentially compromising your data, your customers’ data, and the integrity of your entire system.

By applying these patches, you’re taking a critical step in protecting your Magento installation from this serious security threat. Remember, keeping your e-commerce platform updated and secure is not just a technical necessity, but a responsibility to your business and your customers.

Applying Security Patches to Magento 2.4.7

In this article, we’ll discuss how to apply security patches for the VULN-27015 vulnerability to various Magento 2.4.7 components. We’ll create separate patch files for each affected component and explain how to apply them using Composer.

Preparing Your Magento Installation for Patching

First make sure you have a backup of your files and your database !

While there’s a quick way to patch your website, it’s crucial to understand the limitations and risks associated with different patching methods.

Quick but Temporary Fix

You can download the full patch file for Magento 2.4.7 and execute it in your website’s root directory. This method will apply the security fixes immediately. However, it comes with a significant drawback:

⚠️ Warning: This quick-fix approach is temporary. The patches will be deleted in your next deployment, leaving your website vulnerable again.

Recommended: Composer Method

For a permanent solution that survives deployments, we strongly recommend using the Composer method detailed in this blog post. This approach ensures that:

  1. Patches are applied consistently across all environments.
  2. Security fixes remain in place even after deployments or updates.
  3. You have better control and visibility of applied patches.

Version-Specific Considerations

🔍 Important: The patches and instructions in this blog post are specifically for Magento 2.4.7. If you’re running a different version of Magento, you’ll need to:

  1. Obtain the correct patch files for your specific Magento version.
  2. Adjust the file paths and patch contents accordingly.
  3. Follow the same general process outlined in this article, but with your version-specific patches.

Use this blog post as a guide to understand the patching process, but ensure you’re working with patches that match your Magento version.

Remember, maintaining the security of your e-commerce platform is an ongoing process. Always stay informed about the latest security updates and best practices for your specific Magento version.

You can download the patch that correspond to your Magento version directly on Adobe’s website on this page : https://experienceleague.adobe.com/en/docs/commerce-knowledge-base/kb/troubleshooting/known-issues-patches-attached/security-update-available-for-adobe-commerce-apsb24-40-revised-to-include-isolated-patch-for-cve-2024-34102

Here are the versions supported : 2.4.7, 2.4.7-p1, 2.4.6, 2.4.6-p1, 2.4.6-p2, 2.4.6-p3, 2.4.6-p4, 2.4.6-p5, 2.4.6-p6, 2.4.5, 2.4.5-p1, 2.4.5-p2, 2.4.5-p3, 2.4.5-p4, 2.4.5-p5, 2.4.5-p6, 2.4.5-p7, 2.4.5-p8, 2.4.4, 2.4.4-p1, 2.4.4-p2, 2.4.4-p3, 2.4.4-p4, 2.4.4-p5, 2.4.4-p6, 2.4.4-p7, 2.4.4-p8, 2.4.4-p9.

Previous Magento versions are no longer maintained and I highy advise you to upgrade your Magento store to stay safe.

Before we apply the security patches, we need to ensure that our Magento installation is properly set up to handle composer patches. Follow these steps:

1. Add the Composer Patches Plugin

First, we need to add the cweagans/composer-patches plugin to our project. This plugin allows Composer to apply patches during the update or install process. Run the following command in your Magento root directory:

composer require cweagans/composer-patches

2. Create a Patches Directory

Next, we need to create a directory to store our patch files. In your Magento root directory, create a new folder called patches:

mkdir patches

3. Place Patch Files

Now, place all the patch files we created earlier directly into the patches directory. Your directory structure should look like this:

magento-root/
├── patches/
│   ├── VULN-27015-2.4.7x_v2-theme-adminhtml-backend.composer.patch
│   ├── VULN-27015-2.4.7x_v2-theme-frontend-blank.composer.patch
│   ├── VULN-27015-2.4.7x_v2-theme-frontend-luma.composer.patch
│   ├── VULN-27015-2.4.7x_v2-framework.composer.patch
│   └── VULN-27015-2.4.7x_v2-module-jwt-user-token.composer.patch
├── composer.json
└── ... (other Magento files and directories)

4. Magento Admin Theme Patch

Create a file named VULN-27015-2.4.7x_v2-theme-adminhtml-backend.composer.patch with the following content:

diff --git a/i18n/en_US.csv b/i18n/en_US.csv
index 2708988e731..885d0056d4b 100644
--- a/i18n/en_US.csv
+++ b/i18n/en_US.csv
@@ -547,3 +547,4 @@ Dashboard,Dashboard
 "Web Section","Web Section"
 "Store Email Addresses Section","Store Email Addresses Section"
 "Email to a Friend","Email to a Friend"
+"Invalid data type","Invalid data type"

5. Magento Blank Theme Patch

Create a file named VULN-27015-2.4.7x_v2-theme-frontend-blank.composer.patch with the following content:

diff --git a/i18n/en_US.csv b/i18n/en_US.csv
index 025866f654d..cc02ab5ac90 100644
--- a/i18n/en_US.csv
+++ b/i18n/en_US.csv
@@ -439,3 +439,4 @@ Summary,Summary
 Test,Test
 test,test
 Two,Two
+"Invalid data type","Invalid data type"

6. Magento Luma Theme Patch

Create a file named VULN-27015-2.4.7x_v2-theme-frontend-luma.composer.patch with the following content:

diff --git a/i18n/en_US.csv b/i18n/en_US.csv
index e80cb58e679..3d0e8ab2650 100644
--- a/i18n/en_US.csv
+++ b/i18n/en_US.csv
@@ -489,3 +489,4 @@ Remove,Remove
 Test,Test
 test,test
 Two,Two
+"Invalid data type","Invalid data type"

7. Magento Framework Patch

Create a file named VULN-27015-2.4.7x_v2-framework.composer.patch with the following content:

diff --git a/Webapi/ServiceInputProcessor.php b/Webapi/ServiceInputProcessor.php
index cd7960409e1..df31058ff32 100644
--- a/Webapi/ServiceInputProcessor.php
+++ b/Webapi/ServiceInputProcessor.php
@@ -278,6 +278,12 @@ class ServiceInputProcessor implements ServicePayloadConverterInterface, ResetAf
         // convert to string directly to avoid situations when $className is object
         // which implements __toString method like \ReflectionObject
         $className = (string) $className;
+        if (is_subclass_of($className, \SimpleXMLElement::class)
+            || is_subclass_of($className, \DOMElement::class)) {
+            throw new SerializationException(
+                new Phrase('Invalid data type')
+            );
+        }
         $class = new ClassReflection($className);
         if (is_subclass_of($className, self::EXTENSION_ATTRIBUTES_TYPE)) {
             $className = substr($className, 0, -strlen('Interface'));

8. Magento JWT User Token Module Patch

Create a file named VULN-27015-2.4.7x_v2-module-jwt-user-token.composer.patch with the following content:

diff --git a/Model/SecretBasedJwksFactory.php b/Model/SecretBasedJwksFactory.php
--- a/Model/SecretBasedJwksFactory.php	(revision 022e64b08a88658667bc2d6b922eada2b7910965)
+++ b/Model/SecretBasedJwksFactory.php	(revision 8d2b0c1c6b421cdcd7f62a48a5edc9b0211d92a2)
@@ -35,6 +35,7 @@
     public function __construct(DeploymentConfig $deploymentConfig, JwkFactory $jwkFactory)
     {
         $this->keys = preg_split('/\s+/s', trim((string)$deploymentConfig->get('crypt/key')));
+        $this->keys = [end($this->keys)];
         //Making sure keys are large enough.
         foreach ($this->keys as &$key) {
             $key = str_pad($key, 2048, '&', STR_PAD_BOTH);

Applying the Patches

To apply these patches using Composer, update your composer.json file with the following configuration:

    "extra": {
        "magento-force": "override",
        "composer-exit-on-patch-failure": true,
        "patches": {
            "magento/theme-adminhtml-backend": {
                "VULN-27015: Add 'Invalid data type' translation to backend theme": "patches/VULN-27015-2.4.7x_v2-theme-adminhtml-backend.composer.patch"
            },
            "magento/theme-frontend-blank": {
                "VULN-27015: Add 'Invalid data type' translation to blank theme": "patches/VULN-27015-2.4.7x_v2-theme-frontend-blank.composer.patch"
            },
            "magento/theme-frontend-luma": {
                "VULN-27015: Add 'Invalid data type' translation in Luma theme": "patches/VULN-27015-2.4.7x_v2-theme-frontend-luma-.composer.patch"
            },
            "magento/framework": {
                "VULN-27015: Update ServiceInputProcessor for improved type checking": "patches/VULN-27015-2.4.7x_v2-framework.composer.patch"
            },
            "magento/module-jwt-user-token": {
                "VULN-27015: Enhance SecretBasedJwksFactory for better key handling": "patches/VULN-27015-2.4.7x_v2-module-jwt-user-token.composer.patch"
            }
        }
    }

After updating your composer.json, run the following command to apply the patches:

composer update

This will apply all the security patches to their respective components in your Magento 2.4.7 installation.

Rotating your encryption keys

Now that you have applied the patch, you absolutely need the generate a new encryption key otherwise you website will still be vulnerable.

Here is how you do it :

Head over to System => Other Settings => Manage Encryption Keys

Choose your preferred method for key generation:

  1. Automatic Key Creation:
    • Set the Auto-generate Key option to Yes if you want a new key to be generated for you.
  2. Manual Key Input:
    • If you have a specific key you’d like to use, set Auto-generate Key to No.
    • Then, enter or paste your desired key into the New Key field.

Select the approach that best suits your needs for key management.

This will edit your app/etc/env.php file so make sure it is writable ! Keep the new generated encryption key safe, you might need it later, and you can always find it in your env.php file.

One last step !

Head over to Luke Rodgers‘s extension https://github.com/genecommerce/module-encryption-key-manager in order to completely secure your website.

Many thanks to Peter Jaap Blaakmeer.

See you soon Magestronautes !

Leave a Reply

Your email address will not be published. Required fields are marked *