Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3410 APSB21-86 Security update available for Adobe Commerce 14 October 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Commerce Magento Open Source Publisher: Adobe Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2021-39864 Original Bulletin: https://helpx.adobe.com/security/products/magento/apsb21-86.html - --------------------------BEGIN INCLUDED TEXT-------------------- Security updates available for Adobe Commerce | APSB21-86 Bulletin ID Date Published Priority APSB21-86 October 12, 2021 2 Summary Adobe has released security updates for Adobe Commerce and Magento Open Source. These updates resolve a vulnerability rated important . Successful exploitation could lead to security feature bypass. Affected Versions +-------------------------+-----------------------------+--------+ | Product | Version |Platform| +-------------------------+-----------------------------+--------+ | |2.4.2-p2 and earlier versions|All | | +-----------------------------+--------+ |Adobe Commerce |2.4.3 and earlier versions |All | | +-----------------------------+--------+ | |2.3.7-p1 and earlier versions|All | +-------------------------+-----------------------------+--------+ | |2.4.2-p2 and earlier versions|All | | +-----------------------------+--------+ |Magento Open Source |2.4.3 and earlier versions |All | | +-----------------------------+--------+ | |2.3.7-p1 and earlier versions|All | +-------------------------+-----------------------------+--------+ Solution Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version. +------------------+---------------+--------+---------------+------------------+ | Product |Updated Version|Platform|Priority Rating| Release Notes | +------------------+---------------+--------+---------------+------------------+ | |2.4.3-p1 |All |2 | | |Adobe Commerce +---------------+--------+---------------+2.4.x release | | |2.3.7-p2 |All |2 |notes | +------------------+---------------+--------+---------------+ | |Magento Open |2.4.3-p1 |All |2 |2.3.x release | |Source +---------------+--------+---------------+notes | | |2.3.7-p2 |All |2 | | +------------------+---------------+--------+---------------+------------------+ Vulnerability details +------------------+-------------+---------+-------------------+----------+-----+------------+---------------+------------------+ | | | | | Admin |CVSS | | | | | Vulnerability |Vulnerability|Severity |Pre-authentication?|privileges|base |CVSS vector |Magento Bug ID | CVE numbers | | Category | Impact | | |required? |score| | | | | | | | | | | | | | +------------------+-------------+---------+-------------------+----------+-----+------------+---------------+------------------+ |Cross-Site Request|Security |Important|yes |no |6.5 |CVSS:3.0/ | |CVE-2021-39864 | |Forgery (CSRF) |feature | | | | |AV:N/AC:L/ | | | |(CWE- 352 ) |bypass | | | | |PR:N/UI:R/ |PRODSECBUG-3029| | | | | | | | |S:U/C:N/I:H/| | | | | | | | | |A:N | | | +------------------+-------------+---------+-------------------+----------+-----+------------+---------------+------------------+ Note: Pre-authentication: The vulnerability is exploitable without credentials. Admin privileges required: The vulnerability is only exploitable by an attacker with administrative privileges. For more information, visit https://helpx.adobe.com/security.html , or email PSIRT@adobe.com. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYWfTKeNLKJtyKPYoAQh2KQ//cTJ0mnh235W5mkdXuS/y2GAMry7Fnqbu RfJIrfdfg3JyMk8/MHpq/4uwUzyURdjhCQOG3MNgT+kqb/ioB4vOrdYnEoRTPBv2 koDpJipTNoXbZHbQ2ydYH1V2KVhM/NU685n/3/vQegZp0zVrljEhk0brxGJFhYzW 1C+fTyZmp8+VN2TUS82PSOONWKscNjkBOKwQFxrLX4m4cEDQ95XrhxQJGPNQ8vXI oRolHBOeQZXXFw1c0QFyWKzC7wQ5fEN6kC6kZ7yFs0vqFh9m1bndrQNxq+XHM/4N NmJpTWZMHFSzNivm59PAT/srPaDqJsx6bBepoRAgFM5Db9XRr41N4IoxZdnLQGv3 TUJT5SGOWLf3Q4LT/7yJYibKo6+bMGVh/PXBMHzDhFCA8EAxoWagpxBF10MZ0Gae hwxuUcgRW1t8Q87zw0JShwrZ5XXxj+rzPAk071OvKmVvs4sxNBraL09WvpEQO6lB 0ninxbIx47Qp0Fpovfpiww4eaS540yk2c6au2KBFzmorS/JZM7FTlVmKYRKYwx7k X7wluy4HoweazqKVfOJQRh9VW/1EeX+j4kn0xh+CGAaZCkENc5pVOXa2w1x75Mjt N6syyq3yjWrn983vW4FBrc/btwgIQnVR30gf8w0ylrxYKV3AXX/80Ftin4kFpQyS 4RcNArpDsT4= =k3HX -----END PGP SIGNATURE-----