Update February 17, 2022: A second patch was released which must be applied over the first one. I added instructions on how to apply that at the end of this blog post.
On February 13, 2022, Adobe released a critical security patch named “APSB22-12” for all recent versions of Magento Open Source and Adobe Commerce:
The security issue allows to execute arbitrary code on the Magento server – no admin access needed. It was assigned the highest priority by Adobe.
How to apply the patch – the (too) easy way
Adobe has also published a patch file and instructions on how to apply it, see this link to the Adobe Help Center.
If you are using Adobe Commerce Cloud (formerly Magento Cloud), it’s pretty easy: You put the patch file into the directory “m2-hotfixes” and run the integrated deployment process.
For other hosting solution, Adobe tells us to apply the patch on the command line:
|
1 |
patch -p1 < %patch_name%.composer.patch |
The problem: This doesn’t work well with continuous integration as this command and the file have to be added to the deployment pipeline.
There is a solution for that though.
How to apply the patch – the composer way
This way includes applying the patch via composer which is used by Magento anyway. If done correctly, the patch will be applied every time a composer command like “composer install” is called. Typically, this is already done by the deployment pipeline, there will be no need to adjust it.
The solution consists of three parts:
1. A composer plugin
You add the composer plugin with this command:
|
1 |
composer require cweagans/composer-patches |
With this, the “Composer Patches” plugin by Cameron Eagans is installed. It allows to apply patch files automatically.
2. Slightly modified patch file(s)
The patch file which is delivered by Adobe needs some small changes with the directory paths because the “Composer Patches” plugin applies them per repository instead of globally.
So, we need to split the patch file to one file per repository which is affected – in this case, we need one for magento/framework and one for magento/module-email. Then, the paths inside the files have to be adjusted so they don’t contain the “vendor/magento/framework/” or “vendor/magento/module-email” part any more.
I have prepared the modified patch files for you so you can just download them here.
The patch files should be added to a new “patches” subdirectory to your Magento repository so it looks like this:
3. Modifications to composer.json
We need to add a few new lines to the “extra” part of our project’s composer.json file:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
"extra": { [...] "composer-exit-on-patch-failure": true, "patches": { "magento/framework": { "MDVA-43395": "patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-framework.patch" }, "magento/module-email": { "MDVA-43395": "patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-module-email.patch" } } }, |
“magento/framework” and “magento/module-email” are the repositories to which the patch files should be applied. It is followed by an identifier “MDVA-43395” and the full path to the patch file.
Now you call “composer install” and the patches are applied automatically.
Optional: This composer command updates the composer.lock file’s hash sum so it doesn’t appear as outdated:
|
1 |
composer update --lock |
Let’s see what changes the patch file brings to one of the affected files.
Before applying the patch to vendor/magento/module-email/Model/Template/Filter.php:
After applying the patch to vendor/magento/module-email/Model/Template/Filter.php:
And that’s it! I hope this makes it easier for you to apply this critical patch in your Magento Open Source or Adobe Commerce systems.
Update February 18 2022: A second patch
The Adobe security bulletin was updated on the evening of February 17th with a second patch as the first patch still left an attack vector open.
The process to apply it is the same as for the first patch.
The new part in the composer.json should look like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
"extra": { [...] "composer-exit-on-patch-failure": true, "patches": { "magento/framework": { "MDVA-43395": "patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-framework.patch", "MDVA-43443": "patches/composer/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1/MDVA-43443_magento-framework.patch" }, "magento/module-email": { "MDVA-43395": "patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-module-email.patch", "MDVA-43443": "patches/composer/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1/MDVA-43443_magento-module-email.patch" } } }, |
We have also updated the new patch file, split it in two and adjusted the paths. You can download the updated patch files here.
Please note that these files will only work if you are using Magento 2.4.3. Adobe has provided different patch files for older versions in its security bulletin.
Author: Andreas von Studnitz
Andreas von Studnitz is a Magento developer and one of the Managing Directors at integer_net. His main areas of interest are backend development, Magento consulting and giving developer trainings. He is a Magento 2 Certified Professional Developer Plus and holds several other Magento certifications for both Magento 1 and Magento 2. Andreas was selected as a Magento Master in 2019 and 2020.
Hello Andreas,
thanks for your sharing.
Just to inform that there is a mistake in the Adobe indications to resolve the issue: “To resolve the vulnerability, apply one of the following attached patches.” and then “The patches were tested to resolve the issue for all versions from 2.3.3-p1 to 2.3.7-p2 and from 2.4.0 to 2.4.3-p1.”
The attached patches work only for 2.4.3-p1 version, as suggested by the patch name.
That because the patched file vendor/magento/module-email/Model/Template/Filter.php ($text = __($text, $params)->render(); in line 620) is different from the 2.4.3-p1 version and the older ones ($text = __($text, $params)->render(); in line 607).
So, it needs to create the specific patch for older versions.
Hello Michele,
today (Feb 17) Abode released patches for older magento versions.
Unfortunately, Adobe did not adjust the patches correctly. For version 2.3.4-p2 – 2.4.2-p2 line 618 is still specified.>
Thanks for sharing! I ended up just using post-update-cmd in the composer.json scripts section because I didn’t realised that was needed to split the patch to use cweagans/composer-patches, as the solution you proposed would have been my first choice. This article should be in the official docs. Kudos
Totally agree, Adobe should be releasing patches as split versions compatible with cweagans/composer-patches. FYI we have implement our own patch manager extension which enables more automation around patch application.
Hi there, weird behaviour in a project of mine.
I’m trying to apply the patch composer way, but when I run composer install, the command reloads magento/framework and magento/module-email to a version “unpatchable”, version of magento it’s 2.4.3-p1 so it should be ok, but still this weird thing happens.
Any idea?
Thanks
m
Hi! Are you planning to do extend this tutorial with the new patches MDVA-43395 ?Maybe you would like to take ours (2 out of 3). We prepared the Adobe patches to be used with cweagans: https://we.tl/t-1y2cBDeXFv (only 2.3.4-p2+).
Hi, Andreas,
thanks for sharing! Could you let me know why do we need to to remove “vendor/magento/framework/” and “vendor/magento/module-email” part from patch files?
Thank you
The patch was created from the root directory of Magento, but it is applied per composer package. We define the name of the composer package which needs to be adjusted before, so the patch is applied from the directory of the package, i.e. in vendor/magento/framework/. It just expects the path from there then.
Hello! I have problem while installing patch for magento-email pachage.
patching file vendor/magento/module-email/Model/Template/Filter.phpHunk #1 succeeded at 379 (offset -13 lines).Hunk #2 succeeded at 427 (offset -13 lines).Hunk #3 succeeded at 462 (offset -13 lines).Hunk #4 succeeded at 542 (offset -13 lines).Hunk #5 FAILED at 568.Hunk #6 succeeded at 594 (offset -13 lines).Hunk #7 succeeded at 633 (offset -13 lines).Hunk #8 succeeded at 677 (offset -13 lines).Hunk #9 succeeded at 761 (offset -13 lines).Hunk #10 succeeded at 799 (offset -13 lines).Hunk #11 succeeded at 870 (offset -13 lines).Hunk #12 succeeded at 911 (offset -13 lines).Hunk #13 succeeded at 1139 (offset -15 lines).1 out of 13 hunks FAILED — saving rejects to file vendor/magento/module-email/Model/Template/Filter.php.rej
Could someone help me to resolve it ?
I’m using “cweagans/composer-patches”
The files we provided for download are for Magento 2.4.3 and 2.4.3-p1 only. Previous version need other files which I haven’t prepared yet. You can find the origin files at https://helpx.adobe.com/security/products/magento/apsb22-12.html. You will have to split the files in two and adjust the paths yourself as explained in the blog post.
That’s my #1 guess why it fails for you.
Andreas is right, patches depends on your Magento version. I had the same problem because I’m still using 2.3.7-p1. So I prepared the patches the same way as Andreas did. If you are running the same Magento version, use this: https://we.tl/t-y93O5mjb4I
Note that patches also depends on your folder structure. Please put the content of the zip file in the Magento root path.
Hi Andreas,
When I try to install the patch for magento-email I have this error
thank you.
See my answer to Teodor, I assume the same issue.
Thank you very much for your answer. I appreciate your time to share your knowledge. I have Magento 2.4.0 installed on my site, I had no problem installing the other patches, just MDVA-43443_magento-module-email.patch. Then I must install the ones that correspond to my version. Does anyone know where I can find them?
You can find all the original patch files on https://helpx.adobe.com/security/products/magento/apsb22-12.html – adjusting them yourself as mentioned in the blog post is not too difficult.
Hello Andreas,
is this NOT working with version 2.4.3?
Greets, Jan
Yes it is. The files are for Magento 2.4.3 and 2.4.3-p1. Sorry, I’ll clarify.
Hello,
It seems to me that the 2nd patch (available at https://github.com/magento/knowledge-base/blob/main/src/troubleshooting/known-issues-patches-attached/assets/MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip?raw=true ) for magento 2.3.4 is not working.
I splited it correctly but the part on module magento/module-email is not applying (HUNK 9 FAILED). (running the composer install with –verbose)
This seems due to the patch not being compatible with the code of the module magento/module-email (101.0.4).
I’ve solved it by creating one more patch to apply some changes before the 2nd patch applies (The order of the function tags is not the one expected by the “official” patch).
I applied it by creating a “prepatch” file (I have a slightly different syntax but the same logic) :
Content of the MDVA-43443-prepatch.patch
I hope this can help people who are encountering “HUNK FAILED” errors.
Regards,
Baptiste
For Magento 2.3.4, you need the third patch which is available at https://github.com/magento/knowledge-base/blob/main/src/troubleshooting/known-issues-patches-attached/assets/MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip?raw=true.
Hello,
You can delete this comment, the patch https://github.com/magento/knowledge-base/blob/main/src/troubleshooting/known-issues-patches-attached/assets/MDVA-43443_EE_2.3.4_COMPOSER_v1.patch.zip?raw=true is now correctly applied to 2.3.4 magento instances (Not sure if I failed when I downloaded it previously or if the patchfile changed.)
Thanks,
Best Regards,
Hi Andreas,Thanks for the helpful post. Just FYI, we can use the Magento patches right away if we use the following composer plugin for applying the patches. I’m not sure if the cweagans composer plugin supports that or not, but you might want to try it.
All we need to do is to add these lines to the ‘extra’ part of the composer.json file:
Thanks,Toan
Solid advice and correct way to do it. Thank you!
Hi Andreas von Studnitz,
Thanks for writing a perfect blog for patches!!,
Would this patches work on all the version of 2.4.2 to 2.4.3-p1?. I am using M2 version 2.4.2 and first patch MDVA-43395_EE_2.4.3-p1 is working for open source magento version as well bust seacond version patches/composer/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1/MDVA-43443_magento-module-email.patch having a problem. I am using your provided files on download link. and its shows the error after ‘composer install’ cmd.
“Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. It is recommended that you run
composer updateorcomposer update <package name>.”would we need to update composer?
BELOW ERROR IS main error
Could not apply patch! Skipping. The error was: Cannot apply patch patches/composer/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1/MDVA-43443_magento-module-email.patch
The reworked patch files we providde for download are only valid for Magento 2.4.3 and 2.4.3-p1. For 2.4.0, you need the different patch files: especially the one named “MDVA-43443_EE_2.4.2-p2_COMPOSER_v1.patch.zip” on https://helpx.adobe.com/security/products/magento/apsb22-12.html. You will need to split the file in two and change the paths as described in the blog post.
In order to avoid the composer error, please execute “composer update –lock” before.
This patches not working on Magento CLI 2.4.2.
Yes, and if you read the other comments, you know why.
Hi,
Thanks for this great article.
I don’t know why, but while i’m processing with ma Magento 2.4.0 version. The second patch, the 43443 is overriding the 43395’s modification. When I apply the 43395 alone, all the changes are applied. But when I apply the 43443 and the 43395, only the changes of the 43443 are applied 🙁
Hello Andreas,
First, I wanted to say think you for the post. I applied the patches following your guide using the cweagans composer plugin for v. M2.4.3-p1.
In theory, all was good, no errors and the patches should but there is no difference in the vendor/magento/module-email/Model/Template/Filter.php file after the patches have been applied.
Can I kindly ask you to to give me a tip on what I’m going wrong?
Thank you.
server:var/m:/var/www/m2$ composer installGathering patches for root package.Removing package magento/framework so that it can be re-installed and re-patched.- Removing magento/framework (103.0.3-p1)Removing package magento/module-email so that it can be re-installed and re-patched.- Removing magento/module-email (101.1.3)Installing dependencies from lock file (including require-dev)Verifying lock file contents can be installed on current platform.Warning: The lock file is not up to date with the latest changes in composer.json. You may be getting outdated dependencies. It is recommended that you runcomposer updateorcomposer update <package name>.In Laminas\DependencyPlugin\DependencyRewriterV2::onPrePoolCreatePackage operations: 2 installs, 0 updates, 0 removalsGathering patches for root package.Gathering patches for dependencies. This might take a minute.- Installing magento/framework (103.0.3-p1): Extracting archive- Installing magento/module-email (101.1.3): Extracting archive- Applying patches for magento/frameworkpatches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-framework.patch (MDVA-43395)patches/composer/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1/MDVA-43443_magento-framework.patch (MDVA-43443)– Applying patches for magento/module-emailpatches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-module-email.patch (MDVA-43395)patches/composer/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1/MDVA-43443_magento-module-email.patch (MDVA-43443)
Package container-interop/container-interop is abandoned, you should avoid using it. Use psr/container instead.Package csharpru/vault-php-guzzle6-transport is abandoned, you should avoid using it. No replacement was suggested.
Hi Pawel, it looks as if the patches have been applied successfully – it looked very similar for me. Can you double check the changes haven’t been applied?
Hi Andreas.
Thank you for your prompt response.
You see when I applied the patch. Ref- your post point 1, 2, and 3 and then checked the vendor/magento/module-email/Model/Template/Filter.php it looks like the file has been modified. All good 🙂
Then I updated the second patch. Ref- “Update February 18 2022: A second patch” your guide.
Once I patched it I re-checked the vendor/magento/module-email/Model/Template/Filter.php file for changes. The file looks exactly the same as it was before I applied the first patch. No changes at all.
Is this correct?
Hi, I’m getting a “Bad String” error on the composer.json file changes. It doesn’t like the […] on line 2?
Also, I already have a small section of code in the extra section:
“extra”: {“magento-force”: “override”}}
Where does this go?
Sorry, I am very new to this 🙂
[…] is a placeholder for the part which is already there.
If you already have a part, you don’t have to repeat it.
Thank you for the reply and sorry fo my questions. Here is my extra section in the composer.json :
“extra”: {
“magento-force”: “override”,
“composer-exit-on-patch-failure”: true,
“patches”: {
“magento/framework”: {
“MDVA-43395”: “patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-framework.patch”,
“MDVA-43443”: “patches/composer/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1/MDVA-43443_magento-framework.patch”
},
“magento/module-email”: {
“MDVA-43395”: “patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-module-email.patch”,
“MDVA-43443”: “patches/composer/MDVA-43443_EE_2.4.3-p1_COMPOSER_v1/MDVA-43443_magento-module-email.patch”
}
}
},
I am still getting a parse error relating to the last line. I think its the comma but removing it does not help?
I appreciate any help you can offer.
Sorry to pester, I have managed to fix the composer.JSON file and have run the composer update command. Unfortnately it failed as follows:
[kingcobr@namib test.kingcobra.co.uk]$ composer install
Gathering patches for root package.
Removing package magento/framework so that it can be re-installed and re-patched .
– Removing magento/framework (103.0.3-p1)
Removing package magento/module-email so that it can be re-installed and re-patc hed.
– Removing magento/module-email (101.1.3)
Loading composer repositories with package information
Installing dependencies (including require-dev) from lock file
Warning: The lock file is not up to date with the latest changes in composer.jso n. You may be getting outdated dependencies. It is recommended that you run
com poser updateorcomposer update.Package operations: 2 installs, 0 updates, 0 removals
Warning from https://repo.packagist.org: Support for Composer 1 is deprecated an d some packages will not be available. You should upgrade to Composer 2. See htt ps://blog.packagist.com/deprecating-composer-1-support/
Info from https://repo.packagist.org: #StandWithUkraine
Gathering patches for root package.
Gathering patches for dependencies. This might take a minute.
– Installing magento/module-email (101.1.3): Downloading (100%)
– Applying patches for magento/module-email
patches/composer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-modul e-email.patch (MDVA-43395)
Could not apply patch! Skipping. The error was: Cannot apply patch patches/co mposer/MDVA-43395_EE_2.4.3-p1_COMPOSER_v1/MDVA-43395_magento-module-email.patch
[Exception]
Cannot apply patch MDVA-43395 (patches/composer/MDVA-43395_EE_2.4.3-p1_COMP
OSER_v1/MDVA-43395_magento-module-email.patch)!
My Magento 2 installation is version 2.4.3-p1, any advice?
Hi, can i know how to revert back those patches.
If it’s not enough to run “composer install” again after removing the patch from the composer.json file, I’d delete the module(s) from the vendor directory and then run “composer install” again.