ALERT!⚠️
Following the release of the Magento 2 Security Patch PRODSECBUG – 2198 and SUPEE 11086, proof-of-concept (POC) exploit was published, for SQL Injection vulnerability, giving the hackers a path to the database of your E-commerce sites! This provokes the urgency to patch your store NOW! You can either follow this blog post or contact us for instant help!
On 26th March 2019, Magento released Security Patch PRODSECBUG-2198 for fixing a critical SQL injection vulnerability. Due to this vulnerability, an unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. We strongly suggest that you install these full patches as soon as you can.
PRODSECBUG-2198 Information
| Particulars | Details |
|---|---|
| Type: | Injections: SQL |
| CVSSv3 Severity: | 9 (Critical) |
| Known Attacks: | none |
| Description: | An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | cfreal |
Follow the 6-Step Guide to install PRODSECBUG-2198:
Step 1: Backup Your Magento Store
It’s a wise step to back up your Magento Store before applying any security Patch because your store might have some confliction with the Patch files.
Step 2: Download & Upload the Patch
Download the Patch PRODSECBUG-2198 from here for your Magento Store Version and upload it to your Magento folder.
Step 3: Apply the Patch
After you log in to your shell server and navigating to your Magento Folder, run the following command:
bash Patch-Namee.g.
bash PRODSECBUG-2198-2.3-CE.patchStep 4: Clear your Magento Cache
It’s recommended to flush your Magento Cache after applying the patch. You can either clear and flush the cache from Magento admin or run the following SSH commands:
php bin/magento cache:flushphp bin/magento cache:cleanStep 5: Confirm the Patch Installation
Run the following command to know if the patch has been installed successfully:
grep '|' app/etc/applied.patches.listgrep '|' app/etc/applied.patches.listStep 6: Remove the Patch file
After the successful patch installation, you can remove the .patch file from the root of your Magento Run the following command to remove it using SSH:
rm Patch-NameNote:
With the above method in Magento 2.2 CE version you may face an error as below:
bash PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
diff: unrecognized option ‘–git’
diff: Try ‘diff –help’ for more information.
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 2: index: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 3: —: command not found
In order to avoid this error, follow the below steps:
- If you use git for your project:
git apply PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch - use patch
- Remove the a/ and b/ before the path name.
- Move the patch file to your Magento root and execute patch -p0 < PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
That’s it 🙂
Let me know via commenting below if you face any issue while installing PRODSECBUG-2198.
Don’t forget to hit the 5⭐️ if this post helps you.
