How to install the new security updates for Adobe Commerce APSB22-12

Adobe has released security updates for Adobe Commerce and Magento Open Source, which was announced as Adobe Commerce APSB22-12. These updates resolve a vulnerability rated critical. Successful exploitation could lead to arbitrary code execution.

The versions affected are these below:

  • Adobe Commerce and Magento Open Source
  • Versions from 2.3.3-p1 to 2.3.7-p2
  • Versions from 2.4.0 to 2.4.3-p1

Depending on your version you have a different way to install this new security patch that’s what we will cover in the next steps.

CSS in email template

If you have manually added CSS to transactional emails through the Magento Admin, these styles break after applying the patch above. (Credits to integer_net for reporting this issue)

You can check whether you have custom styles enabled for your emails by checking if you have any content in the Template Styles field in the email templates in the Magento Admin, or run the following SQL command:

SELECT COUNT(*) FROM `email_template` WHERE template_styles like '%{%';

Download the patch

But before starting talking about it, let’s download the zip files according to your Magento version.

2.4.3 – 2.4.3-p1:

2.3.4-p2 – 2.4.2-p2:

2.3.3-p1 – 2.3.4:

Adobe Commerce Cloud

The first step will be to download the security patch APSB22-12, to be able to install it on your Adobe Commerce Cloud. As soon as you have your zip files, you will need to unzip your patches and add them to a folder called m2-hotfixes in your root folder, by adding them there, you will have your patch installed during the next deploy.

Magento OpenSource

Downloading the zip file, you need to install a Composer package called vaimo/composer-patches. It’s a package that helps you to install patches quicker.

composer require vaimo/composer-patches

After unzipping your patches, you can move it to a new folder, I would call it m2-hotfixes, which is the same pattern on Adobe Commerce projects.

The security patches change two core modules, Magento Framework and Magento Email. This information is important to add to our Composer configuration during the next step.

Adobe Commerce APSB22-12
Adobe Commerce APSB22-12

In your composer.json you can add a new extra section with a patches section under it. The source is your patch file path. The targets are the core modules that the patch changes.

{
  "require": {
    "cweagans/composer-patches": "~1.0",
    "drupal/core-recommended": "^8.8",
  },
  "config": {
    "preferred-install": "source"
  },
    "extra": {
        "composer-exit-on-patch-failure": true,
    "patches": {
      "*": {
        "MDVA-43395": {
            "source": "m2-hotfixes/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch",
            "targets": [
                "magento/framework",
                "magento/module-email"
            ]
        },
        "MDVA-43443": {
            "source": "m2-hotfixes/MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch",
            "targets": [
                "magento/framework",
                "magento/module-email"
             ],
             "after": "MDVA-43395_EE_2.4.3-p1_COMPOSER_v1.patch"
        }
      },
    },
}

Testing it

You can easily test it by running the Composer command to apply patches.

composer patch:apply --no-interaction -vvv

Or you can run the composer install command.

Thanks for reading this post. Don’t forget to install it as soon as possible, if you need professional help, please let me know!

References:

About me

Picture of Rafael Corrêa Gomes

Rafael Corrêa Gomes

Senior e-commerce developer and architect based in Montreal, Canada. More than ten years of experience developing e-commerces, saas products and managing teams working with Magento, Shopify, PHP, JavaScript, and NodeJS.