{"id":15810,"date":"2023-09-28T14:40:02","date_gmt":"2023-09-28T14:40:02","guid":{"rendered":"https:\/\/www.hostduplex.com\/blog\/?p=15810"},"modified":"2023-09-28T14:40:04","modified_gmt":"2023-09-28T14:40:04","slug":"adobe-commerce-2-4-6-p2-security-patch","status":"publish","type":"post","link":"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/","title":{"rendered":"Adobe Commerce 2.4.6-p2 Security Patch: Enhancing E-commerce Security"},"content":{"rendered":"\n<p>On August 8, 2023, <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.adobe.com\/\">Adobe<\/a> released a security update for <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/business.adobe.com\/products\/magento\/magento-commerce.html\">Adobe Commerce<\/a> and <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/business.adobe.com\/products\/magento\/open-source.html\">Magento Open Source<\/a>. Adobe Commerce 2.4.6-p2 security patch is the latest release, providing a safer and more <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/\">secure platform<\/a> for e-commerce businesses. This update addresses critical vulnerabilities. If exploited, these vulnerabilities could lead to arbitrary code execution, privilege escalation, and arbitrary file system read.<\/p>\n\n\n\n<p>This release is a testament to Adobe\u2019s commitment to improving the security of its e-commerce platforms continuously. By proactively addressing potential vulnerabilities and providing timely <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-2-4-7-beta1-release\/\">security updates<\/a>, Adobe ensures that its users can focus on growing their businesses without worrying about potential cyber threats like <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.hostduplex.com\/blog\/prevent-brute-force-attack-in-magento-2\/\">Brute Force Attacks<\/a>, <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.hostduplex.com\/blog\/how-to-prevent-sql-injection-attacks\/\">SQL injection<\/a>, and more.<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_62 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title \" >Table of Contents<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/#Key_Features_of_the_Adobe_Commerce_246-p2\" title=\"Key Features of the Adobe Commerce 2.4.6-p2\">Key Features of the Adobe Commerce 2.4.6-p2<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/#Security_Enhancements\" title=\"Security Enhancements\">Security Enhancements<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/#Security_Highlight\" title=\"Security Highlight\">Security Highlight<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/#jQuery-UI_Library_Vulnerability_CVE-2022-31160\" title=\"jQuery-UI Library Vulnerability (CVE-2022-31160)\">jQuery-UI Library Vulnerability (CVE-2022-31160)<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/#Performance_Issue_Config_Files_Loading_Multiple_Times_ACSD-51892\" title=\"Performance Issue: Config Files Loading Multiple Times (ACSD-51892)\">Performance Issue: Config Files Loading Multiple Times (ACSD-51892)<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/#Installation_and_Upgrade_Instructions\" title=\"Installation and Upgrade Instructions\">Installation and Upgrade Instructions<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/#Downloading_and_Applying_Patches\" title=\"Downloading and Applying Patches\">Downloading and Applying Patches<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.hostduplex.com\/blog\/adobe-commerce-2-4-6-p2-security-patch\/#In_Closing\" title=\"In Closing\">In Closing<\/a><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Key_Features_of_the_Adobe_Commerce_246-p2\"><\/span><strong>Key Features of the Adobe Commerce 2.4.6-p2<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>This release focuses on addressing vulnerabilities identified in <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-2-4-6-upgrade\/\">previous versions<\/a> and aligning with the <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/www.hostduplex.com\/blog\/magento-security-tips-and-practices\/\">latest security best practices<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Security_Enhancements\"><\/span><strong>Security Enhancements<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>This release brings forth several security improvements:<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Three Main Security Fixes<\/strong><\/h4>\n\n\n\n<p>The release includes three primary security fixes.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>XML Injection (CVE-2023-38207):<\/strong> This vulnerability can lead to arbitrary file system read and has been rated as &#8220;Important&#8221; with a CVSS base score of 5.3.<\/li>\n\n\n\n<li><strong>OS Command Injection (CVE-2023-38208):<\/strong> This critical vulnerability can result in arbitrary code execution and has a CVSS base score of 9.1.<\/li>\n\n\n\n<li><strong>Improper Access Control (CVE-2023-38209):<\/strong> This vulnerability can lead to privilege escalation and has been rated as &#8220;Important&#8221; with a CVSS base score of 6.5.<\/li>\n<\/ol>\n\n\n\n<h5 class=\"wp-block-heading\"><strong>Affected Versions<\/strong><\/h5>\n\n\n\n<p>The vulnerabilities impact the following versions of Adobe Commerce and Magento Open Source:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Adobe Commerce:<\/strong> Versions 2.4.6-p1 and earlier, 2.4.5-p3 and earlier, 2.4.4-p4 and earlier, and several other versions.<\/li>\n\n\n\n<li><strong>Magento Open Source:<\/strong> Versions 2.4.6-p1 and earlier, 2.4.5-p3 and earlier, 2.4.4-p4 and earlier.<\/li>\n<\/ul>\n\n\n\n<p>Adobe recommends updating installations to the newest versions, which include:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Adobe Commerce:<\/strong> Several updated versions exist, including Adobe Commerce 2.4.7 beta1, 2.4.6-p2 for 2.4.6 and earlier, 2.4.5-p4 for 2.4.5-p3 and earlier, and 2.4.4-p5 for 2.4.4-p3 and earlier.<\/li>\n\n\n\n<li><strong>Magento Open Source: <\/strong>Magento 2.4.7 beta1, 2.4.6-p2 for 2.4.6 and earlier, 2.4.5-p4 for 2.4.5-p3 and earlier, 2.4.4-p5 for 2.4.4-p3 and earlier.<\/li>\n<\/ul>\n\n\n\n<p>For a detailed discussion on these issues addressed, you can refer to the <a href=\"https:\/\/helpx.adobe.com\/security\/products\/magento\/apsb23-42.html\" target=\"_blank\" rel=\"noopener\"><strong><u>Adobe Security Bulletin<\/u><\/strong><\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Security_Highlight\"><\/span><strong>Security Highlight<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>In the <strong>nginx.sample<\/strong> file, the value of <strong>fastcgi_pass<\/strong> has been reverted to its previous value of <strong>fastcgi_backend<\/strong>. This value was mistakenly changed to <strong>php-fpm:9000<\/strong> in the Adobe Commerce 2.4.6-p1 release.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"jQuery-UI_Library_Vulnerability_CVE-2022-31160\"><\/span><strong>jQuery-UI Library Vulnerability (CVE-2022-31160)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>The jQuery-UI library, a renowned user interface tool for <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/developer.adobe.com\/commerce\/frontend-core\/guide\/css\/jquery\/\">jQuery<\/a>, has been flagged with a security vulnerability. This vulnerability, identified as <a target=\"_blank\" rel=\"noreferrer noopener\" href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2022-31160\">CVE-2022-31160<\/a>, is specific to the 1.13.1 version of the library. As of the latest updates, Adobe has confirmed that there are no known active exploits for the issue addressed.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Affected Adobe Commerce Versions<\/strong><\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>2.4.4<\/li>\n\n\n\n<li>2.4.5<\/li>\n\n\n\n<li>2.4.6<\/li>\n<\/ul>\n\n\n\n<p>These versions of Adobe Commerce have the compromised 1.13.1 version as a dependency.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Resolution by Adobe<\/strong><\/h4>\n\n\n\n<p>In June 2023, Adobe took swift action to address this vulnerability:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Released security-only patches: 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4.<\/li>\n\n\n\n<li>Updated the jQuery-UI library dependency to the more secure 1.13.2 version.<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\"><strong>Note on Incomplete Updates<\/strong><\/h4>\n\n\n\n<p>While the main jQuery-UI file was updated, certain additional module and widget files remained unchanged. As a result:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Users of versions 2.4.6-p1, 2.4.5-p3, and 2.4.4-p4 or earlier might still detect the jQuery-UI CVE issue during security scans.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Performance_Issue_Config_Files_Loading_Multiple_Times_ACSD-51892\"><\/span><strong>Performance Issue: Config Files Loading Multiple Times (ACSD-51892)<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>In Adobe Commerce 2.4.6, a performance issue was identified where the <code>app\/etc\/env.php<\/code> and <code>app\/etc\/config.php<\/code> files are loaded multiple times during each request. This excessive file reading can strain the system, leading to a significant drop in overall performance. This issue becomes particularly evident during deployment or upgrade processes. After deploying or upgrading to Adobe Commerce 2.4.6 or later, the filesystem logs reveal repeated access to these files during the deployment. As a result, instead of a successful deployment within the expected timeframe, servers might struggle to respond, leading to &#8220;Error 503 first byte timeout&#8221; when accessing the website. The log files will show multiple entries indicating access to the <code>app\/etc\/env.php<\/code> and <code>app\/etc\/config.php<\/code> files.<\/p>\n\n\n\n<p><strong>Hotfixes<\/strong><\/p>\n\n\n\n<p>The 2.4.6-p2 release includes a resolution for the performance degradation addressed by patch <a href=\"https:\/\/experienceleague.adobe.com\/docs\/commerce-knowledge-base\/kb\/support-tools\/patches\/v1-1-33\/acsd-51892-performance-issue-where-config-files-load-multiple-times.html?lang=en\" data-type=\"link\" data-id=\"https:\/\/experienceleague.adobe.com\/docs\/commerce-knowledge-base\/kb\/support-tools\/patches\/v1-1-33\/acsd-51892-performance-issue-where-config-files-load-multiple-times.html?lang=en\" target=\"_blank\" rel=\"noopener\">ACSD-51892<\/a>. Once applied, it prevents the excessive loading of the mentioned config files, ensuring smoother and <a href=\"https:\/\/www.hostduplex.com\/blog\/magento-speed-optimization-tips\/\" target=\"_blank\" rel=\"noreferrer noopener\">faster performance<\/a>. This patch is available with the Quality Patches Tool (QPT) 1.1.33. Additionally, it&#8217;s worth noting that this issue is slated to be resolved in the upcoming Adobe Commerce 2.4.7 release.<\/p>\n\n\n\n<p>Merchants can apply this patch depending on their deployment method:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For Adobe Commerce or Magento Open Source on-premises, refer to the <a href=\"https:\/\/experienceleague.adobe.com\/docs\/commerce-knowledge-base\/kb\/support-tools\/patches\/v1-1-33\/acsd-51892-performance-issue-where-config-files-load-multiple-times.html?lang=en\" target=\"_blank\" rel=\"noopener\"><strong><u>Quality Patches Tool &gt; Usage<\/u><\/strong><\/a> in the Quality Patches Tool guide.<\/li>\n\n\n\n<li>For Adobe Commerce on Cloud Infrastructure, refer to <a href=\"https:\/\/experienceleague.adobe.com\/docs\/commerce-knowledge-base\/kb\/support-tools\/patches\/v1-1-33\/acsd-51892-performance-issue-where-config-files-load-multiple-times.html?lang=en\" target=\"_blank\" rel=\"noopener\"><strong><u>Upgrades and Patches &gt; Apply Patches<\/u><\/strong><\/a> in the Commerce on Cloud Infrastructure guide.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Installation_and_Upgrade_Instructions\"><\/span><strong>Installation and Upgrade Instructions<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>The Adobe Commerce 2.4.6-p2 release, being a security release, necessitates careful installation and upgrade procedures to ensure the security and stability of your Adobe Commerce or Magento Open Source deployment.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><a href=\"https:\/\/www.hostduplex.com\/magento-hosting\/\" target=\"_blank\" rel=\"noreferrer noopener\"><img decoding=\"async\" width=\"1024\" height=\"153\" src=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/05\/Recommended-hosting-4-1024x153.webp\" alt=\"Advertisement image for Host Duplex, a highly recommended Magento and WordPress hosting service.\" class=\"wp-image-14515\" srcset=\"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/05\/Recommended-hosting-4-1024x153.webp 1024w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/05\/Recommended-hosting-4-300x45.webp 300w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/05\/Recommended-hosting-4-768x115.webp 768w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/05\/Recommended-hosting-4-1536x230.webp 1536w, https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/05\/Recommended-hosting-4.webp 1875w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/a><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"Downloading_and_Applying_Patches\"><\/span><strong>Downloading and Applying Patches<\/strong><span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>For merchants looking to download and apply security patches, including the 2.4.6-p2 patch, Adobe provides a comprehensive guide. The <a href=\"https:\/\/experienceleague.adobe.com\/docs\/commerce-operations\/release\/notes\/security-patches\/2-4-6-p2.html?lang=en#installation-and-upgrade-instructions\" target=\"_blank\" rel=\"noopener\"><strong><u>Quick Start install<\/u><\/strong><\/a> guide offers step-by-step instructions to ensure a smooth patch application process.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"In_Closing\"><\/span>In Closing<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<p>This blog post provides a comprehensive overview of the Adobe Commerce 2.4.6-p2 security release. Merchants are advised to stay updated with the latest releases and ensure they are implementing the recommended patches and upgrades for a secure and efficient e-commerce experience.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On August 8, 2023, Adobe released a security update for Adobe Commerce and Magento Open Source. Adobe Commerce 2.4.6-p2 security patch is the latest&#8230;<\/p>\n","protected":false},"author":8,"featured_media":15813,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[137,115],"tags":[262,163,119,261,192],"class_list":["post-15810","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","category-magento","tag-adobe-commerce-2-4-6-p2","tag-cybersecurity","tag-magento","tag-security-patch","tag-updates","article","has-excerpt","has-avatar","has-author","has-date","has-comment-count","has-category-meta","has-read-more","thumbnail-"],"jetpack_sharing_enabled":true,"jetpack_featured_media_url":"https:\/\/www.hostduplex.com\/blog\/wp-content\/uploads\/2023\/09\/Adobe-Commerce-2.4.6-p2.webp","_links":{"self":[{"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/posts\/15810","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/comments?post=15810"}],"version-history":[{"count":4,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/posts\/15810\/revisions"}],"predecessor-version":[{"id":15815,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/posts\/15810\/revisions\/15815"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/media\/15813"}],"wp:attachment":[{"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/media?parent=15810"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/categories?post=15810"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hostduplex.com\/blog\/wp-json\/wp\/v2\/tags?post=15810"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}