ALERT!⚠️
Following the release of the Magento 2 Security Patch PRODSECBUG – 2198 and SUPEE 11086, proof-of-concept (POC) exploit was published, for SQL Injection vulnerability, giving the hackers a path to the database of your E-commerce sites! This provokes the urgency to patch your store NOW! You can either follow this blog post or contact us for instant help!
On 26th March 2019, Magento released Security Patch PRODSECBUG-2198 for fixing a critical SQL injection vulnerability. Due to this vulnerability, an unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. We strongly suggest that you install these full patches as soon as you can.
| PRODSECBUG-2198 Information | |
|---|---|
| Type: | Injections: SQL |
| CVSSv3 Severity: | 9 (Critical) |
| Known Attacks: | none |
| Description: | An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage. |
| Product(s) Affected: | Magento Open Source prior to 1.9.4.1, and Magento Commerce prior to 1.14.4.1, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, Magento 2.3 prior to 2.3.1 |
| Fixed In: | Magento Open Source 1.9.4.1, Magento Commerce 1.14.4.1, SUPEE-11086, Magento 2.1.17, Magento 2.2.8, Magento 2.3.1 |
| Reporter: | cfreal |
Follow the 6-Step Guide to install PRODSECBUG-2198:
Backup Your Magento Store
It’s a wise step to back up your Magento Store to before applying any security Patch because your store might have some confliction with the Patch files.
Download & Upload the Patch
Download the Patch PRODSECBUG-2198 from here for your Magento Store Version and upload it to your Magento folder.
Apply the Patch
After you log in to your shell server and navigating to your Magento Folder, run the following command:
1bash Patch-Namee.g.
1bash PRODSECBUG-2198-2.3-CE.patchClear your Magento Cache
It’s recommended to flush your Magento Cache after applying the patch. You can either clear and flush the cache from Magento admin or run the following SSH commands:
1php bin/magento cache:flush1php bin/magento cache:cleanConfirm the Patch Installation
Run the following command to know if the patch has been installed successfully:
1grep '|' app/etc/applied.patches.list1grep '|' app/etc/applied.patches.listRemove the Patch file
After the successful patch installation, you can remove the .patch file from the root of your Magento.
Run the following command to remove it using SSH:
1rm Patch-Name
Note:
With the above method in Magento 2.2 CE version you may face an error as below:
bash PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
diff: unrecognized option ‘–git’
diff: Try ‘diff –help’ for more information.
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 2: index: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 3: —: command not found
In order to avoid this error, follow the below steps:
- If you use git for your project:
git apply PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch - use patch
- Remove the a/ and b/ before the path name.
- Move the patch file to your Magento root and execute patch -p0 < PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
That’s it 🙂
Let me know via commenting below if you face any issue while installing PRODSECBUG-2198.
Don’t forget to hit the 5⭐️ if this post helps you.
7 comments On How to Install Magento 2 Security Patch PRODSECBUG-2198
It asks me files to patch , what should i put ?
Please mention the error you are facing. A screenshot of the error would be helpful to solve your issue.
i get this error as well…
Have you tried to do that you sagest?
I tried for 2.2-CE.
bash PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
diff: unrecognized option ‘–git’
diff: Try ‘diff –help’ for more information.
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 2: index: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 3: —: command not found
This patch doesn’t looks like bash script. It looks like git diff.
And you can apply it in two ways.
1) if you use git for your project.
git apply PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
2) use patch
2.1)Remove the a/ and b/ before the path name.
2.2)Move the patch file to your Magento root and execute patch -p0 < PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
https://magento.stackexchange.com/questions/268708/prodsecbug-2198-installation-steps
P.S.
Mistake: php bin/magento cache:clear
Correctly: php bin/magento cache:clean
You are right. Thank you so much 🙂
Hi, seems simple enough but I get this …
public_html$ bash PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch
diff: unrecognized option ‘–git’
diff: Try ‘diff –help’ for more information.
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 2: index: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 3: —: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 4: +++: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 5: @@: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 6: =: command not found
PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 8: syntax error near unexpected token
$actions'foreach ($actions as $action) {‘PRODSECBUG-2198-2.2-CE.composer-2019-03-27-06-12-19.patch: line 8:
Please follow the note mentioned at the end of the blog for your solution 🙂