CVE-2021-21426

CVE-2021-21426 aka Magento deserialization attack is a vulnerability in Magento and OpenMage versions prior to v19.4.13 caused by the unsecured deserialization of an object in Zend Framework (CVE-2021-3007) that can lead to remote code execution if the content is controllable. It is related to the __destruct method of the Zend\Http\Response\Stream class in Stream.php. In versions higher than Zend Framework 3.0.0, the attacker abuses the Zend3 feature that loads classes from objects in order to upload and execute malicious code in the server. The code can be uploaded using the “callback” parameter, which in this case inserts a malicious code instead of the “callbackOptions” array. Patch was backported from ZF3 and included in OpenMage v19.4.13 and v20.0.10.

Note: Install this and any other missing patches with our Magento patch installation service or upgrade to OpenMage LTS v19.4.15 (released on August 26, 2021).

Patch for CVE-2021-21426

The patch can be downloaded from Github: [https://github.com/OpenMage/magento-lts/commit/6b663bbce99d46823bec690fe7a186df2b855620.patch]

diff --git a/lib/Zend/Http/Response/Stream.php b/lib/Zend/Http/Response/Stream.php
index 0a154c4ee4..795ae14676 100644
--- a/lib/Zend/Http/Response/Stream.php
+++ b/lib/Zend/Http/Response/Stream.php
@@ -227,7 +227,7 @@ public function __destruct()
             fclose($this->stream);
             $this->stream = null;
         }
-        if($this->_cleanup) {
+        if($this->_cleanup && is_string($this->stream_name) && file_exists($this->stream_name)) {
             @unlink($this->stream_name);
         }
     }