Adobe Commerce Cloud security issues. Log4j shell crisis!

Yegor Shytikov
4 min readDec 18, 2021


Thousands of the Magento Cloud (Adobe Commerce Cloud) websites were potentially hacked. Because of the unsecure and no PSI DSS compliant single server installation when vulnerable Elastic Search and ZooKeeper Java based software hosted together with the Database the data could be stolen. Your Magento Adobe Cloud web site may have already been compromised and the attackers have “fixed” the vulnerability to keep out other attackers.

Merchants will not know about the issues. Until attackers will start to use stolen Customer data or credit cards. “Log4Shell” has been characterized by Tenable as “the single biggest, most critical vulnerability of the last decade”.

Adobe Commerce Cloud architectural PSI DSS security issues:

2.2.1 Implement only one primary function per server to prevent functions that require different security levels from co-existing on the same server. (For example, web servers, database servers, and DNS should be implemented on separate servers.)

For example:

A database, which needs to have strong security measures in place, would be at risk sharing a server with a web application, which needs to be open and directly face the Internet. Failure to apply a patch to a seemingly minor function could result in a compromise that impacts other, more important functions (such as a database) on the same server.

Adobe Commerce Cloud Architecture

As we can see everything on the same server!

Hack off the one software gives easy access to ALL data and code on the same serve…

Magento Cloud Multy-layer Architecture

This architecture is free to use and is open source. Read more here ->

In the United States, the director of the Cybersecurity and Infrastructure Security Agency (CISA), Jen Easterly, termed the exploit “critical” and advised vendors to prioritize software updates, and the Germany agency Federal Office for Information Security (BSI) designated the exploit as being at its highest threat level, calling it an “extremely critical threat situation” (translated). The Canadian Centre for Cyber Security (CCCS) called on organisations to take on immediate action.

The CVE-2021–44228 vulnerability allows unauthenticated remote code execution on the Magento cloud server using ElasticSearch, and it is triggered when a specially crafted string provided by the attacker through a variety of different input vectors is parsed and processed by the ElasticSearch Log4j 2 vulnerable component. For more technical and mitigation information about the vulnerability, please read the Microsoft Security Response Center blog.

The bulk of attacks were observed at this time have been related to mass scanning by attackers attempting to thumbprint vulnerable systems, as well as scanning by security companies and researchers.

An attacker performs an HTTP request against a target system, which generates a log using Log4j 2 that leverages JNDI to perform a request to the attacker-controlled site. The vulnerability then causes the exploited process to reach out to the site and execute the payload. In many observed attacks, the attacker-owned parameter is a DNS logging system, intended to log a request to the site to fingerprint the vulnerable systems.

The specially crafted string that enables execution of this vulnerability can be identified through several components. The string contains “jndi”, which refers to the Java Naming and Directory Interface. Following this, the protocol, such as “ldap”, “ldaps”, “rmi”, “dns”, “iiop”, or “http”, precedes the attacker domain.

As security teams work to detect the exploitation of the vulnerability, attackers have added obfuscation to these requests to evade detections based on request patterns. We’ve seen things like running a lower or upper command within the exploitation string and even more complicated obfuscation attempts, that are all trying to bypass string-matching detections.

The vast majority of observed activity has been scanning, but exploitation and post-exploitation activities have also been observed. Based on the nature of the vulnerability, once the attacker has full access and control of an application, they can perform a myriad of objectives. Activities including installing coin miners, MageCart, Cobalt Strike to enable credential theft and lateral movement, and exfiltrating data, personal customers data and credit cards leakage from compromised systems were observed.



Yegor Shytikov

True Stories about Magento 2. Melting down metal server infrastructure into cloud solutions.