README

Fix the JWT authentication vulnerability on certain Magento 2 versions. Deny tokens issued by old encryption key. If you cannot upgrade Magento or cannot apply the official patch, try this one.

Background

In September 2024, an authentication vulnerability was revealed on multiple Magento versions and those versions are identified that a new module Magento_JwtUserToken is employed.

Tokens(especially Admin Tokens) issued by old encryption key remains valid even if a new key is added. The vulnerability is caused by a bug in the above mentioned module. Attacker who once obtained a key can have persistent Admin level WebAPI access to the victim's store.

CVE-2024-34102(aka Cosmic Sting) Secondary Disaster

By exploiting CVE-2024-34102, the attacker can steal the encryption key and craft "valid" Admin Token.
A key rotation without fixing this vulnerability cannot deny the attacker's Admin level access.

Do I really need this patch ?

If your store is already hacked or you are unsure if it is, then you should assume the encryption key is leaked. Performing an encryption key rotation is very urgent.

Rotate Encryption Key

Note1: Perform the key rotation after installing this patch(extension).
Note2: Encryption keys are stored in app/etc/env.php crypt/key path, but do not delete old keys after rotation.

Login to Admin Panel
Go to System > Other Settings > Manage Encryption Key
Change Auto-generate a Key to Yes and then Change Encryption Key

More details, including command line methods, are in this blog post.

We also developed a tool for deployment automation purpose. Check Magento 2 Encryption Key Manager CLI.

Requirements

For affected versions only

2.4.4 ~ 2.4.4-p9
2.4.5 ~ 2.4.5-p8
2.4.6 ~ 2.4.6-p6
2.4.7 ~ 2.4.7-p1

Compatibility

This extension does not use preference.

Installation

composer require wubinworks/module-jwt-auth-patch

♥

If you like this extension please star this repository.

wubinworks / module-jwt-auth-patch

Maintainers

Details