High-Risk Vulnerability in OpenMage Magento LTS

Photograph of Magento Software

Last night on August 26th, 2021 a security research developer released information to the public concerning two security updates that address some worrying software vulnerabilities. The software vulnerabilities that have been found are related to the well-known Magento CMS (Content Management System). Recently, problems with software code have been constantly on the news for a significant variety of software and hardware vendors. When it comes to CMS products, quite a lot of software vulnerabilities have been spotted recently relating to Joomla and even market leader WordPress.

This time, software vulnerabilities affect one of the choice CMS platforms called Magento. Magento is a popular CMS platform owned by Adobe, that is similar to WooCommerce and CMS market leader WordPress. Magento allows the creation of digital content, like other CMS platforms, but is different in that it is referred to as an open-source e-commerce platform (and includes the Magento Marketplace.)

As for the vulnerability, it affects the open community project ‘fork’ OpenMage LTS that will continue to provide long-term support as well as PCI compliance for Magento 1.

The Magento LTS Vulnerability

On August 26th, 2021 there were two updates released on GitHub related to OpenMage Magento. The two updates, concern certain sub-versions of the V19 and V20 OpenMage Magento LTS releases. These vulnerabilities can allow an unauthorized remote attacker to view files as well as perform network scanning. The worst case is that a remote attacker can exploit these vulnerabilities and compromise a system that hasn’t been patched with the latest security fixes. One of these vulnerabilities is classified as high-severity and high-risk. Security researcher and developer Daniel Fahlke is credited as being the one to release this information and the security update to the GitHub project. GitHub is a platform for developers, where developers are able to add fixes for open source projects which is applicable to this case.

Technical Details

The CVE (Common Vulnerabilities and Exposures) ID code for the riskier vulnerability is CVE-2021-32758. Magento LTS (from OpenMage) is affected by this issue. Technically speaking, the vulnerability is an XML External Entity injection vulnerability. The security researcher confirmed that the vulnerability exists due to insufficient validation of user-supplied XML input. Because of this, a remote attacker can pass a specially crafted XML code to the affected application. Then, the attacker can view the contents of arbitrary files on the system or initiate requests to external systems. Successful exploitation of the vulnerability may allow an attacker to view the contents of an arbitrary file on the server or perform network scanning of internal and external infrastructure, or execute arbitrary code.

Important User Information

It is important for customers/users to know that the following version of Magento-lts are vulnerable to the above vulnerabilities;

  • 19.4.0, 19.4.1, 19.4.2, 19.4.3, 19.4.4, 19.4.5, 19.4.6, 19.4.7, 19.4.8, 19.4.9, 19.4.10, 19.4.11, 19.4.12, 19.4.13, 19.4.14, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 20.0.6, 20.0.7, 20.0.8, 20.0.9, 20.0.10, 20.0.11, 20.0.12

Customers/users of OpenMage Magento-lts should upgrade their software versions via GitHub to the latest one with the new security updates, which is; v20.0.13. Customers/users need to do a ‘pull request‘ in order to update their software. Finally, customers/users wishing to find out more about various Magento migration options can find additional information here.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at VPNoverview.com, while in his free time he likes to work on documentary projects, read about sociology and write about world events.