Rated 9.8 severity on a scale of 10, this vulnerability would allow unauthenticated remote code execution - in short, someone exploiting this issue could potentially gain access to the whole application.
As Magento sites make transactions and store customer data, it goes without saying that closing this hole quickly was essential in order to keep customer details safe and prevent our clients suffering brand damage. So-called zero-day exploits are very rare for Magento but in this instance there were reports of the hole being actively (but thankfully rarely) exploited - only adding to the urgency.
The first patch that was released Sunday 13th February was therefore at the top of Absolutes’s priority Monday morning to roll out to all the clients we support.
Tickets and emails were generated within the first 2 hours of that morning to contact our clients to let them know the severity of this, and that we needed to act fast. Work was scheduled immediately after agreement to use clients' support hours to apply this.
Once the patch was applied to our clients development sites, both account managers and developers worked together to test the development sites to ensure that the patch was good to push live.
We successfully deployed approximately 90% of the patches to the live environments within 48 hours.
Adobe then released a second patch on the 17th February, of the same urgency. Again this was at the top of Absolute’s priority Friday morning as this patch needed to be applied alongside the first for the vulnerability to be properly closed.
Support account managers generated tickets and emails within the first working hour to contact clients about this second patch, and work was scheduled immediately. We followed the same approach as the first, and deployed this 2nd patch to 100% of our clients that agreed to proceed within the working day.
If your agency hasn’t contacted you about this patch we’d very strongly recommend checking with them, and then asking them why they’re not more proactive - this isn’t a patch that’s safe to ignore and your customer data and your site itself could be at great risk.
For interested parties with technical understanding: we approached this using a composer patches solution (https://github.com/cweagans/composer-patches), enabling our developers to install the patch quickly and efficiently, with consistency across projects. To do so we split the patches on a per module basis. It also means we can commit the patches to git, so that all environments for each site remain consistent - this is an essential requirement for any good dev team.
Do be aware if taking this approach that the patch will inevitably be bundled into a future full release and so will need removing at some point.
Get in touch to see how Absolute can support you in the day-to-day up-keep of your existing website and improve site performance with our audits.