magento2 icon indicating copy to clipboard operation
magento2 copied to clipboard

Published 20 hours ago verified publisher icon magento

Magento 2.4.5: CVE-2022-24086 and CVE-2022-24087 included?

Open kassner opened this issue 3 years ago • 7 comments

Preconditions and environment

  • Magento 2.4.4
  • Patch for CVE-2022-24086
  • Patch for CVE-2022-24087

Steps to reproduce

  • Upgrade to Magento 2.4.5;
  • Apply the CVE-2022-24086 and CVE-2022-24087 patches;

The patches conflict with newer changes in the Magento codebase.

Expected result

Either:

  1. Patches are applied successfully;

or

  1. Patches are not needed, and the release notes have that information;

Actual result

Unclear if patches are needed on 2.4.5, and if they do, patches should be compatible with the release.

Additional information

No response

Release note

No response

Triage and priority

  • [ ] Severity: S0 - Affects critical data or functionality and leaves users without workaround.
  • [X] Severity: S1 - Affects critical data or functionality and forces users to employ a workaround.
  • [ ] Severity: S2 - Affects non-critical data or functionality and forces users to employ a workaround.
  • [ ] Severity: S3 - Affects non-critical data or functionality and does not force users to employ a workaround.
  • [ ] Severity: S4 - Affects aesthetics, professional look and feel, “quality” or “usability”.

kassner avatar Sep 02 '22 13:09 kassner

Hi @kassner. Thank you for your report. To speed up processing of this issue, make sure that you provided the following information:

  • Summary of the issue
  • Information on your environment
  • Steps to reproduce
  • Expected and actual results

Make sure that the issue is reproducible on the vanilla Magento instance following Steps to reproduce. To deploy vanilla Magento instance on our environment, Add a comment to the issue:

@magento give me 2.4-develop instance - upcoming 2.4.x release

For more details, review the Magento Contributor Assistant documentation.

Add a comment to assign the issue: @magento I am working on this

To learn more about issue processing workflow, refer to the Code Contributions.

:warning: According to the Magento Contribution requirements, all issues must go through the Community Contributions Triage process. Community Contributions Triage is a public meeting.

:clock10: You can find the schedule on the Magento Community Calendar page.

:telephone_receiver: The triage of issues happens in the queue order. If you want to speed up the delivery of your contribution, join the Community Contributions Triage session to discuss the appropriate ticket.

:pencil2: Feel free to post questions/proposals/feedback related to the Community Contributions Triage process to the corresponding Slack Channel

m2-assistant[bot] avatar Sep 02 '22 13:09 m2-assistant[bot]

Hi @engcom-November. Thank you for working on this issue. In order to make sure that issue has enough information and ready for development, please read and check the following instruction: :point_down:

  • [ ] 1. Verify that issue has all the required information. (Preconditions, Steps to reproduce, Expected result, Actual result).

    DetailsIf the issue has a valid description, the label Issue: Format is valid will be added to the issue automatically. Please, edit issue description if needed, until label Issue: Format is valid appears.

  • [ ] 2. Verify that issue has a meaningful description and provides enough information to reproduce the issue. If the report is valid, add Issue: Clear Description label to the issue by yourself.

  • [ ] 3. Add Component: XXXXX label(s) to the ticket, indicating the components it may be related to.

  • [ ] 4. Verify that the issue is reproducible on 2.4-develop branch

    Details- Add the comment @magento give me 2.4-develop instance to deploy test instance on Magento infrastructure.
    - If the issue is reproducible on 2.4-develop branch, please, add the label Reproduced on 2.4.x.
    - If the issue is not reproducible, add your comment that issue is not reproducible and close the issue and stop verification process here!

  • [ ] 5. Add label Issue: Confirmed once verification is complete.

  • [ ] 6. Make sure that automatic system confirms that report has been added to the backlog.

m2-assistant[bot] avatar Sep 05 '22 11:09 m2-assistant[bot]

Hi @kassner , Thank you for reporting and collaboration. CVE-2022-24086 and CVE-2022-24087 are not included in Magento 2.4.5 Magento 2.4.5 release notes does not contain any information about the mentioned patches as they are not included. Please refer the security updates where the affected products and versions are mentioned here and find the solution here Thank you.

engcom-November avatar Sep 05 '22 12:09 engcom-November

@sidolov @sdzhepa this looks like p0 issue

ihor-sviziev avatar Sep 05 '22 15:09 ihor-sviziev

Hello @kassner and @ihor-sviziev

I have discussed this issue with our Security Team.

Short answer:

  1. Mentioned patches are not applicable for the 2.4.5. (applicable only <= 2.4.3-p1 and <= 2.3.7-p2)
  2. Users do not need to apply these patches to fix security issues. Because these vulnerabilities were already fixed and included into 2.4.5

Detailed answer(quotes)

2.4.4, 2.4.3-p2, and 2.3.7-p3 were the first releases after that hotfix was released, not 2.4.5. Those release notes do mention that it was addressed in those releases https://devdocs.magento.com/guides/v2.4/release-notes/open-source-2-4-4.html#hotfixes-included-in-this-release:

• The vulnerability addressed by MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch and MDVA-43443_EE_2.4.3-p1_COMPOSER_v1.patch has been resolved in this release.

We don’t include information about all hotfixes from previous releases, only the ones that affect the immediate release. So maybe the confusion was that 2.4.5 isn’t the first release since those listed hotfixes.

To summarize, the issue was addressed in 2.4.4, 2.4.3-p2, and 2.3.7-p3 and was available as hotfix patches before that. Important to note that the patches are not the same fix as what we released in the full releases. We opted for a more comprehensive solution than what the hotfix provided.

I hope this information will clarify the situation and we can close this issue but would like to receive your confirmation before.

cc: @engcom-Hotel @engcom-November

sdzhepa avatar Sep 09 '22 20:09 sdzhepa

@sdzhepa still curious to know how it is fixed in 2.4.4 then. Since the patch can still be applied on 2.4.4, even though it is not meant for that version. That would mean the code hasn't changed, otherwise the patch application would fail. So how is it fixed?

peterjaap avatar Sep 21 '22 09:09 peterjaap

@nathanjosiah: can adobe publish some kind of post-mortem about this, too many people are confused about this.

hostep avatar Sep 21 '22 10:09 hostep

We cannot discuss the details of vulnerability fixes. The patch may be able to be applied to version it is not meant for but that doesn't mean it isn't fixed.

As an abstract example:

function process() {
  //some broken method
  $foo = $thing->getResult();

  //hack fix
  return preg_replace(...,...,$foo);
}

In this example, the temporary fix was in the "hack fix" but the bug was in the getResult. Which means a proper fix wouldn't have the hack fix and not affect that line.

If you think that you have found a vulnerability in one of our current versions, please report it through HackerOne.

nathanjosiah avatar Sep 29 '22 14:09 nathanjosiah

@nathanjosiah ok thanks for clearing that up. Just wanted to be sure the vuln was fixed in 2.4.4.

peterjaap avatar Sep 29 '22 14:09 peterjaap

@nathanjosiah in that example after the fix is applied to getResults and hack is not removed, the actual result might be unwanted. Like some sort of double escape/quote etc. Reminds me about PRODSECBUG-2198.

I think you should have "touched" the lines that were fixed by previous patches, so that they wouldn't apply anymore. That way everybody would notice and remove useless (even dangerous) patches.

pemann avatar Sep 29 '22 15:09 pemann

Hi @pemann , As mentioned by @sdzhepa , mentioned patches are applicable only for Magento instances <= 2.4.3-p1 and <= 2.3.7-p2. The issue was addressed in 2.4.4, 2.4.3-p2, and 2.3.7-p3 and was available as hotfix patches before that. Kindly confirm if you have found a vulnerability in latest magento instance with steps to confirm or we can close the issue. Thank you.

engcom-November avatar Oct 07 '22 12:10 engcom-November

@engcom-November Please do not direct the community to post vulnerability steps in public github. @pemann if you have a vulnerability please submit it through our HackerOne program or message me directly in the community slack.

nathanjosiah avatar Oct 10 '22 14:10 nathanjosiah

Thank you for the update @nathanjosiah. We are closing this issue as the mentioned patches are not applicable for Magento 2.4.5 Thank you.

engcom-November avatar Oct 13 '22 15:10 engcom-November