Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2021.3410
APSB21-86 Security update available for Adobe Commerce
14 October 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Adobe Commerce
Magento Open Source
Publisher: Adobe
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Cross-site Request Forgery -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2021-39864
Original Bulletin:
https://helpx.adobe.com/security/products/magento/apsb21-86.html
- --------------------------BEGIN INCLUDED TEXT--------------------
Security updates available for Adobe Commerce | APSB21-86
Bulletin ID Date Published Priority
APSB21-86 October 12, 2021 2
Summary
Adobe has released security updates for Adobe Commerce and Magento Open Source.
These updates resolve a vulnerability rated important . Successful exploitation
could lead to security feature bypass.
Affected Versions
+-------------------------+-----------------------------+--------+
| Product | Version |Platform|
+-------------------------+-----------------------------+--------+
| |2.4.2-p2 and earlier versions|All |
| +-----------------------------+--------+
|Adobe Commerce |2.4.3 and earlier versions |All |
| +-----------------------------+--------+
| |2.3.7-p1 and earlier versions|All |
+-------------------------+-----------------------------+--------+
| |2.4.2-p2 and earlier versions|All |
| +-----------------------------+--------+
|Magento Open Source |2.4.3 and earlier versions |All |
| +-----------------------------+--------+
| |2.3.7-p1 and earlier versions|All |
+-------------------------+-----------------------------+--------+
Solution
Adobe categorizes these updates with the following priority ratings and
recommends users update their installation to the newest version.
+------------------+---------------+--------+---------------+------------------+
| Product |Updated Version|Platform|Priority Rating| Release Notes |
+------------------+---------------+--------+---------------+------------------+
| |2.4.3-p1 |All |2 | |
|Adobe Commerce +---------------+--------+---------------+2.4.x release |
| |2.3.7-p2 |All |2 |notes |
+------------------+---------------+--------+---------------+ |
|Magento Open |2.4.3-p1 |All |2 |2.3.x release |
|Source +---------------+--------+---------------+notes |
| |2.3.7-p2 |All |2 | |
+------------------+---------------+--------+---------------+------------------+
Vulnerability details
+------------------+-------------+---------+-------------------+----------+-----+------------+---------------+------------------+
| | | | | Admin |CVSS | | | |
| Vulnerability |Vulnerability|Severity |Pre-authentication?|privileges|base |CVSS vector |Magento Bug ID | CVE numbers |
| Category | Impact | | |required? |score| | | |
| | | | | | | | | |
+------------------+-------------+---------+-------------------+----------+-----+------------+---------------+------------------+
|Cross-Site Request|Security |Important|yes |no |6.5 |CVSS:3.0/ | |CVE-2021-39864 |
|Forgery (CSRF) |feature | | | | |AV:N/AC:L/ | | |
|(CWE- 352 ) |bypass | | | | |PR:N/UI:R/ |PRODSECBUG-3029| |
| | | | | | |S:U/C:N/I:H/| | |
| | | | | | |A:N | | |
+------------------+-------------+---------+-------------------+----------+-----+------------+---------------+------------------+
Note:
Pre-authentication: The vulnerability is exploitable without credentials.
Admin privileges required: The vulnerability is only exploitable by an attacker
with administrative privileges.
For more information, visit https://helpx.adobe.com/security.html , or email
PSIRT@adobe.com.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYWfTKeNLKJtyKPYoAQh2KQ//cTJ0mnh235W5mkdXuS/y2GAMry7Fnqbu
RfJIrfdfg3JyMk8/MHpq/4uwUzyURdjhCQOG3MNgT+kqb/ioB4vOrdYnEoRTPBv2
koDpJipTNoXbZHbQ2ydYH1V2KVhM/NU685n/3/vQegZp0zVrljEhk0brxGJFhYzW
1C+fTyZmp8+VN2TUS82PSOONWKscNjkBOKwQFxrLX4m4cEDQ95XrhxQJGPNQ8vXI
oRolHBOeQZXXFw1c0QFyWKzC7wQ5fEN6kC6kZ7yFs0vqFh9m1bndrQNxq+XHM/4N
NmJpTWZMHFSzNivm59PAT/srPaDqJsx6bBepoRAgFM5Db9XRr41N4IoxZdnLQGv3
TUJT5SGOWLf3Q4LT/7yJYibKo6+bMGVh/PXBMHzDhFCA8EAxoWagpxBF10MZ0Gae
hwxuUcgRW1t8Q87zw0JShwrZ5XXxj+rzPAk071OvKmVvs4sxNBraL09WvpEQO6lB
0ninxbIx47Qp0Fpovfpiww4eaS540yk2c6au2KBFzmorS/JZM7FTlVmKYRKYwx7k
X7wluy4HoweazqKVfOJQRh9VW/1EeX+j4kn0xh+CGAaZCkENc5pVOXa2w1x75Mjt
N6syyq3yjWrn983vW4FBrc/btwgIQnVR30gf8w0ylrxYKV3AXX/80Ftin4kFpQyS
4RcNArpDsT4=
=k3HX
-----END PGP SIGNATURE-----