As I write this, it’s the middle of July and Adobe has been burning red releasing security updates for the Adobe Commerce and Magento Open Source platforms.
Let’s discuss how this affects you as the business manager and/or owner. But first, let’s back up and expand on how security updates differ from regularly scheduled updates.
What’s the Difference Between a Security Patch and a Scheduled Feature Release for Adobe Commerce?
Adobe Firefly Prompt: “Adobe Commerce CosmicSting vulnerability”
As you may suspect, security updates are released to Adobe partners and the public to address specific vulnerabilities in the existing software platform. These are typically in response to documented security threats discovered by bug hunters, which may be issues with the software itself or the language the software is written in. Security patches rarely offer new feature sets, electing rather to bolster and secure existing software. These updates are released as they are found based on risk level, and Adobe will often bundle similar types of vulnerabilities together.
In contrast, feature releases are scheduled releases that contain all previously-released security patches alongside new functionality and improvements that can make your store easier to manage and better for customers. Our agency helps clients on Adobe Commerce and other platforms implement patches and releases, even when there’s extra work involved to ensure compatibility with integrations, themes, or legacy features.
Understanding the Latest Adobe Commerce Security Updates
Let’s dive into the latest Adobe security updates and how they affect store owners. As a reference, I’ll refer to each of these updates by their relevant security bulletin.
Bulletin APSB24-18
This security update addresses two critical cross-site scripting bugs. This is not an unusual update as both Adobe Commerce and Magento Open Source do not enforce Content Security Policies (CSP). CSP is essentially an allow-list stating which assets from external sources can load on the site.
Prior to this update, Adobe did not enforce CSP by default. The fix for this bulletin, however, was to enable CSP enforcement for the checkout area. This blocked any code written without validation to demonstrate it was allowed, breaking many checkout pages with even light customization.
The solution involves updating vendor extensions and patching any without updates, as well as to update the CSP to allow approved miscellaneous scripts. This was an understandably heavy-handed solution, but extremely effective at eliminating this vulnerability.
Bulletin APSB24-40
Otherwise known as the CosmicSting vulnerability, this exploited a Linux bug that persisted within the Adobe application framework which would potentially allow remote execution into a system. The primary payloads observed were utilizing the API to update CMS blocks with malware links.
This update was fairly trivial to patch, however, the potential fallout involves updating the Adobe Commerce/Open Source installation’s encryption key to ensure bad actors with access to the system using the vulnerability are no longer able to execute updates on the system. It also involves monitoring to ensure no further intrusion attempts occur.
Additionally, Adobe released a follow-up patch shortly after to address a critical authentication file which was not patched, which would allow bad actors to continue to use compromised encryption keys.
Patching Now is Easier than Patching Later
Those sure sound serious, huh? Both vulnerabilities represent a high risk of compromised data, security compromise, and breaking site functionality as basic as the checkout flow, and botched implementation of the Adobe patches can make things worse. We at Human Element will continue to stay on top of issues, giving our clients the best support, advice, and custom development to keep sites secure and customers safe and happy.
The Rub: Critiquing Adobe’s Approach to Security Patches
Adobe does a commendable job keeping up with the latest threats and issuing patches. However, introducing site-breaking changes in security patches leads to confusion over the time and effort involved in applying said patches, which creates budget concerns for clients trying to stay ahead in an ever-competitive eCommerce arena.
Our preference for security patches would be to narrowly address the specific issue with a patch and then apply larger, potentially breaking changes via minor releases. This has the added benefit of ensuring all security patch changes are integrated with the minor release alongside the more comprehensive feature fix for the issue. The development team at Adobe crafting security patches should work more closely on a long-term plan and consider adopting a strategy to “‘fix now, make it friendly later,”’ fixing the vulnerability as quickly as possible and adding a feature-rich fix via a regular release when necessary.
A Plea to Extension Vendors
When you think of extension vendors, picture an agency with a specific goal: to provide and maintain a software offering that adds or removes features from an install. Most larger extension vendors have a subscription for support and updates.
As an agency maintaining many installs with different use cases for vendor extensions, it has been a mixed bag, historically, as to whether an extension vendor will quickly respond to security patches with an update for their software. Updates for full feature releases are released quickly by most vendors, but the arguably more critical security patches are often overlooked by even large, reputable vendors. Reliable support for these patches should be the minimum for companies collecting a monthly fee for extension support and would save hours of effort.
Navigating Security Patches on Adobe Commerce
Understanding the difference between a security patch and a feature release is important. However, within the current paradigm of security releases with potentially site-breaking changes, store owners should treat both with the same amount of expectation and urgency. Both involve updating vendor extensions (and occasionally Adobe-maintained extensions), patching vendor extensions where the vendor has not provided an update in a timely manner, and correcting native extensions and external references. Human Element can help you navigate the complexities of security and feature releases on Adobe Commerce and all major eCommerce platforms.
