Following the release of the Magento 2 Security Patch PRODSECBUG – 2198 and SUPEE 11086, proof-of-concept (POC) exploit was published, for SQL Injection vulnerability, giving the hackers a path to the database of your E-commerce sites! This provokes the urgency to patch your store NOW! You can either follow this blog post or contact us for instant help!
On 26th March 2019, Magento released Security Patch PRODSECBUG-2198 for fixing a critical SQL injection vulnerability. Due to this vulnerability, an unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. We strongly suggest that you install these full patches as soon as you can.
|CVSSv3 Severity:||9 (Critical)|
|Description:||An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage.|
|Product(s) Affected:||Magento Open Source prior to 18.104.22.168, and Magento Commerce prior to 22.214.171.124, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1|
|Fixed In:||Magento Open Source 126.96.36.199, Magento Commerce 188.8.131.52, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1|
Follow the 6-Step Guide to install PRODSECBUG-2198:
Backup Your Magento Store
It’s a wise step to back up your Magento Store to before applying any security Patch because your store might have some confliction with the Patch files.
Download & Upload the Patch
Download the Patch PRODSECBUG-2198 from here for your Magento Store Version and upload it to your Magento folder.
Apply the Patch
After you log in to your shell server and navigating to your Magento Folder, run the following command:1bash Patch-Name
Clear your Magento Cache
It’s recommended to flush your Magento Cache after applying the patch. You can either clear and flush the cache from Magento admin or run the following SSH commands:1php bin/magento cache:flush1php bin/magento cache:clean
Confirm the Patch Installation
Run the following command to know if the patch has been installed successfully:1grep '|' app/etc/applied.patches.list1grep '|' app/etc/applied.patches.list
Remove the Patch file
After the successful patch installation, you can remove the .patch file from the root of your Magento.
Run the following command to remove it using SSH:1rm Patch-Name
With the above method in Magento 2.2 CE version you may face an error as below:
diff: unrecognized option ‘–git’
diff: Try ‘diff –help’ for more information.
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 2: index: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 3: —: command not found
In order to avoid this error, follow the below steps:
- If you use git for your project:
git apply PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
- use patch
- Remove the a/ and b/ before the path name.
- Move the patch file to your Magento root and execute patch -p0 < PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
That’s it 🙂
Let me know via commenting below if you face any issue while installing PRODSECBUG-2198.
Don’t forget to hit the 5⭐️ if this post helps you.