Magento Security Patches Installation – The Complete Guide

magento security patches installation

What is a Magento Security Patch?

Magento platform is loaded with state-of-the-art functionality having the flexibility of open source software. Apart from having numerous benefits of an open source platform, the one and major drawback is security threats and vulnerabilities. Now when a loophole is found, Magento step into an action to solve the security issue. As soon as the update is developed and tested, the fix to the version is released named as a SUPEE patch.

What Does SUPEE Mean?

Magento internally uses JIRA system for bug tracking and the patches are released to provide EE SUPport tickets, Magento security patches are named as SUPEE Patches. Each SUPEE patch contains self-installing script containing updates to all the security issues. The patch files locate the code to update the existing Magento code files and save the result.

How to Install Magento Security Patches?

Due to variations in server access and hosting environments, there is no universal way to install patches.
There are 3 methods to install Magento security patches and I have shared all the 3 of them, you can choose any of them as per your convenience and access.

  1. With SSH
  2. Run a Script
  3. Without SSH

Before Patch Installation:
We would not want to lose our data! Sometimes, it may happen that already installed extensions are not compatible with the new patch. So it is advisable to have the backup in case of data loss.

Patch Downloads:
If you are using “With SSH” or “Run a Script” method, download the security patch from here. If you are using “Without SSH” method, you can directly download pre-patched files from here.

You must know the version of your Magento to download the correct patch. You can know your Magento version from Magereport

    1. Using Secure Shell (SSH) is the most recommended way to apply the patch.
    2. Run the following commands in SSH console:
      .SH extension
      .patch extension
       

      For Linux OS or Ubuntu derived machines:
      On Linux OS or Ubuntu derived machines, using sh will throw an error as sh is supposed to be used only with purely POSIX compliant scripts and Magento scripts are not 100% POSIX compliant. Instead, on Ubuntu and derived OSes such as Linux Mint, you should use

    3. Disable the compiler if the store is already compiled.
    4. To apply the patch, move the patch file to your Magento directory.
    1. To apply the patch, move the patch file to your Magento directory.
    2. Disable the compiler if the store is already compiled.
    3. Create a file named “patch.php” with the following script:

    4. Upload the patch.php file to Magento root folder.
    5. Run the script from the browser.

      You will get the success message.

    6. Delete “patch.php” file from Magento server once the patch is installed successfully.
    7. If you get the following error message, ask your hosting provider to install missing tools or try another method for Magento patch installation.
      “Error! Some required system tools, that are utilized in this sh script, are not installed; Tool (s) “patch” is (are) missed, please install it(them).
  1. Simply extract the pre-patched files below and upload it to your Magento root folder. You can also download these Pre Patched files from GitHub.
Magento SUPEE PatchRelease DateVersion AffectedIssues Addressed
Magento SUPEE 11155June 25, 20191.5.0.0-1.9.4.1Includes security enhancements to provide security against cross-site scripting, arbitrary code execution, and sensitive data disclosure vulnerabilities as well as other security issues.
Magento SUPEE 11086March 26, 20191.5.0.0-1.9.4.0Contains multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Magento SUPEE 10975November 28, 20181.5.0.0-1.9.3.10Contains functional fixes and multiple security enhancements to provide the security against remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities. This release also provides support for PHP 7.2.
Magento SUPEE 10888September 19, 20181.5.0.0-1.9.3.9Contains multiple security enhancements to provide the security against cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.
Magento SUPEE 10752June 27, 20181.5.0.0-1.9.3.8Multiple security enhancements that help close authenticated Admin user remote code execution (RCE), cross-site request forgery (CSRF) and other vulnerabilities.
Magento SUPEE 10570 v2Mar 28, 20181.5.0.1-1.9.3.7Install Magento SUPEE 10570 v2 released to solve the issue of incomplete checkout while customers try to register during checkout.
Magento SUPEE 10415Nov 28, 20171.5.0.1-1.9.3.6Vulnerable issues like remote code execution, cross-site scripting, and cross-site request forgery issues.
Magento SUPEE 10266Sep 14, 20171.5.0.1-1.9.3.4Unauthorized data leak and authenticated Admin user remote code execution vulnerabilities.
Magento SUPEE 9767 V2May 30, 20171.5.0.1-1.9.3.3Remote code execution, information leaks, cross-site scripting, etc
Magento SUPEE 9652Feb 7, 20171.5.0.1-1.9.3.1Attacks abusing Zend library vulnerability
Magento SUPEE 8788 V2Oct 11, 20161.5.0.1-1.9.2.4Remote code execution, information leaks, cross-site scripting, Zend framework and payment vulnerabilities
Magento SUPEE 7405Feb 23, 20161.4.0.0-1.9.2.3Upload file permissions, merging carts, and SOAP APIs
Magento SUPEE 6788Oct 27, 20151.4.0.0-1.9.2.1Remote code execution, information leaks, and cross-site scripting
Magento SUPEE 6482Aug 4, 20151.4.0.0-1.9.2.0SSRF Vulnerability in WSDL file, Autoloaded File Inclusion in Magento SOAP API, Cross-site Scripting
Magento SUPEE 6285Feb 27, 20181.4.0.0-1.9.1.1Information leaks, request forgeries, and cross-site scripting
Magento SUPEE 5994July 07, 20151.4.1.0-1.9.1.1Admin Path Disclosure, Customer Address Leak through Checkout, Customer Information Leak through Recurring Profile etc.
Magento SUPEE 5344February 09, 20151.4.0.0-1.9.1.0Remote code execution vulnerability known as the “shoplift bug” that allows hackers to obtain Admin access to a store
Magento SUPEE 1533October 03, 20141.4.0.0-1.9.0.1Execution of arbitrary code on Magento server, change of the permission of existing files to world-writable

 

After installing the patches using one of the above methods, flush the Magento cache from Cache Management in the backend. Also, flush the OPcode or APC cache.

It is always good to test your work before marking it complete! Do check if the patches are installed properly from here.

Reverting an Installed Patch

Sometimes it’s necessary to revert the installed patch. You can use the same patch that you used to install the patch for reverting the patch, simply use it with -R flag.

Follow above steps to secure your Magento store. However, to install Magento patch, keen knowledge, expertise, and experience are required. If you are a newbie to patch installation or if you want to escape this tiring task of patch installation, you can always check our Magento Security Patches Installation Service to get the professional help 🙂

Have a secured Magento store!

CTA2_Make-Magento-Secure-Again-by-Meetanshi

5
(based on 8 Reviews)

Sanjay is a co-founder at Meetanshi. He is a certified Magento developer who loves creating Magento E-commerce solutions. When he is not engrossed with anything related to Magento, he loves to play cricket.

Leave a Reply