This time, software vulnerabilities affect one of the choice CMS platforms called Magento. Magento is a popular CMS platform owned by Adobe, that is similar to WooCommerce and CMS market leader WordPress. Magento allows the creation of digital content, like other CMS platforms, but is different in that it is referred to as an open-source e-commerce platform (and includes the Magento Marketplace.) As for the vulnerability, it affects the open community project ‘fork’ OpenMage LTS that will continue to provide long-term support as well as PCI compliance for Magento 1.
The Magento LTS Vulnerability
On August 26th, 2021 there were two updates released on GitHub related to OpenMage Magento. The two updates, concern certain sub-versions of the V19 and V20 OpenMage Magento LTS releases. These vulnerabilities can allow an unauthorized remote attacker to view files as well as perform network scanning. The worst case is that a remote attacker can exploit these vulnerabilities and compromise a system that hasn’t been patched with the latest security fixes. One of these vulnerabilities is classified as high-severity and high-risk. Security researcher and developer Daniel Fahlke is credited as being the one to release this information and the security update to the GitHub project. GitHub is a platform for developers, where developers are able to add fixes for open source projects which is applicable to this case.
Technical Details
The CVE (Common Vulnerabilities and Exposures) ID code for the riskier vulnerability is CVE-2021-32758. Magento LTS (from OpenMage) is affected by this issue. Technically speaking, the vulnerability is an XML External Entity injection vulnerability. The security researcher confirmed that the vulnerability exists due to insufficient validation of user-supplied XML input. Because of this, a remote attacker can pass a specially crafted XML code to the affected application. Then, the attacker can view the contents of arbitrary files on the system or initiate requests to external systems. Successful exploitation of the vulnerability may allow an attacker to view the contents of an arbitrary file on the server or perform network scanning of internal and external infrastructure, or execute arbitrary code.
Important User Information
It is important for customers/users to know that the following version of Magento-lts are vulnerable to the above vulnerabilities;
19.4.0, 19.4.1, 19.4.2, 19.4.3, 19.4.4, 19.4.5, 19.4.6, 19.4.7, 19.4.8, 19.4.9, 19.4.10, 19.4.11, 19.4.12, 19.4.13, 19.4.14, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 20.0.6, 20.0.7, 20.0.8, 20.0.9, 20.0.10, 20.0.11, 20.0.12
Customers/users of OpenMage Magento-lts should upgrade their software versions via GitHub to the latest one with the new security updates, which is; v20.0.13. Customers/users need to do a ‘pull request‘ in order to update their software. Finally, customers/users wishing to find out more about various Magento migration options can find additional information here.