As your fully managed hosting provider, Nexcess wants to make you aware of critical vulnerabilities associated with specific Magento 2 versions and a WordPress plugin, UpdraftPlus. Keep reading to learn about these vulnerabilities, what you can do, and how Nexcess is protecting your site and your data.
Magento 2 Vulnerabilities
On Sunday, February 13th, Adobe disclosed a critical RCE vulnerability in Magento 2 (CVE-2022-24086) and released an emergency patch. Teams across Nexcess assembled and put together tooling to identify and patch impacted Magento 2 installations on Nexcess Classic, Cloud, and Enterprise platforms. We completed patching efforts through February 15th and updated installation tooling for M2 to include the patch.
Then, on Thursday, February 17th, Adobe released a second emergency patch for Magento 2 (CVE-2022-24087) to further mitigate the RCE vulnerability. We reassembled teams at Nexcess to begin immediately testing and applying the patch across Nexcess Classic, Cloud, and Enterprise platforms. As of the evening of Thursday, February 17th and into the morning of the 18th, we have completed patching affected customers for CVE-2022-24087.
We encourage customers to please check their Magento 2 installations to understand if you are on a known vulnerable version and to verify that the patch was successfully applied. Although we have a high degree of confidence that we scoped in all vulnerable customer installations, the severity of this vulnerability warrants the additional validation on your part.
UpdraftPlus Plugin Vulnerabilities
Our teams are also acting on a critical vulnerability in UpdraftPlus, a WordPress backup plugin.
This vulnerability could allow any logged-in user, such as customer accounts, to download site backups created by the plugin, providing attackers access to sensitive data. They could potentially hijack vulnerable sites as well. This vulnerability received a high-severity CVSS score of 8.5 out of 10.
The plugin developer has released a patch in 1.22.3 (free version) and 2.22.3 (paid version). Because of the severity, the WordPress.org plugins team designated this a required update for users of the free plugin, so free UpdraftPlus users should see this update automatically. Premium users of the plugin are urged to update their plugin immediately if it hasn’t updated automatically.
We have released an update to our Web Application Firewall (WAF) to protect customers until their sites can be updated, and we’ve also communicated to all our customers using UpdraftPlus to urge them to verify they have the latest version and update if needed.
We’re Here to Help
If you have any additional questions, please email us directly at firstname.lastname@example.org, or contact us by telephone at 866-639-2377.
As your Managed Hosting provider, we’re working every day to keep your sites and stores fast, highly secure, and available. We recognize that when your business relies on the web, you deserve to have a provider you can rely on.
As always, we thank you for trusting us with your mission-critical sites and stores. We appreciate your business and will always have your back.