Adobe has released an out-of-band security update for Adobe Commerce and Magento Open Source to address active exploitation of a known vulnerability, and Google has an emergency issue, too.
Security Bulletin APSB22-12 fixes CVE-2022-24086, rated 9.8 (critical) out of 10 on the CVSS scale. Adobe has not released details about the issue beyond noting that it involves improper input validation (CWE-20). The software maker says exploitation does not require any special privileges and allows arbitrary code execution.
“Adobe is aware that CVE-2022-24086 has been exploited in the wild in very limited attacks targeting Adobe Commerce merchants,” the Silicon Valley stalwart said.
Magento is an open source ecommerce system written in PHP and is used to support online shopping on hundreds of thousands of websites. It was acquired by Adobe in May 2018 and has become the basis for Adobe Commerce.
Versions up to 2.3.7-p2 and up to 2.4.3-p1 for both Magento and Adobe Commerce are affected. Those using a vulnerable version of the software are advised to apply the appropriate patch immediately.
“This vulnerability has a similar severity as the Magento Shoplift vulnerability from 2015,” said security firm Sansec in a blog post on Monday. “At that time, nearly all unpatched Magento stores globally were compromised in the days after the exploit publication.”
Sansec predicted mass scanning and exploitation would occur within 72 hours.
Google’s in there too
Separately, Google released a Chrome browser update on Valentine’s Day that addresses 11 flaws, including a zero-day vulnerability that is being abused in the wild.
“Google is aware of reports that an exploit for CVE-2022-0609 exists in the wild,” it warned. In other words, all hands to the patches.
CVE-2022-0609 was reported by Adam Weidemann and Clément Lecigne of Google’s Threat Analysis Group on February 10, 2022. It’s a use-after-free() vulnerability in Chrome’s Animation code. When memory is used after it has been freed, via an uncleared pointer, that can lead to a crash and enable exploitation.
The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday added both the Adobe and the Chrome zero-days, along with seven other CVEs dating back to 2013, to its Known Exploited Vulnerabilities Catalog.
“These types of vulnerabilities are a frequent attack vector for malicious cyber actors of all types and pose significant risk to the federal enterprise,” the CISA notification said.
The notification directs federal civilian executive branch (FCEB) agencies to fix the Adobe and Google bugs by March 1, 2022. ®