Merchants using Magento Commerce 2.3.1 or 2.3.2, or potentially moving to either one of these versions should know, Magento has identified a security vulnerability; however, Magento is quick to address security issues including Remote Code Execution (RCE), SQL injection, Arbitrary File Deletion, etc. and rapidly provides security fixes for all currently supported versions (Magento Commerce and Open Source 2.3.3, 2.3.2-p1 and 2.2.10). Magento released an update for Magento 2.3.3 on October 8, 2019, addressing one of the most severe security issues, remote code execution through a crafted Page Builder template – CVE-2019-8144. Apart from this with the highest CVVSSv3 severity rating, additional issues were addressed, read the full list below:
Issue Type: Remote Code Execution (RCE)
CVSSv3 Severity | Security Bug | Description |
9.1 | Remote code execution through file upload in Admin import feature. | An authenticated user with administrative privileges to import features can execute arbitrary code through a crafted configuration to achieve file upload. |
9.1: | Remote code execution in email templates. | An authenticated user can leverage the email template hierarchy to manipulate the interceptor class in a way that allows a malicious user to execute arbitrary code. |
9.1 | Remote code execution through local file delete and XSLT injection. | An authenticated administrator with import product privileges can delete files through bulk product import and inject code into an XSLT file. The combination of these manipulations can lead to remote code execution. |
9.1 | Remote code execution through custom layout update in the create product functionality. | A remote code execution vulnerability exists in Magento 2.1 prior to 2.1.19, Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3. An authenticated user with privileges to create products can craft custom layout update and use import product functionality to enable remote code execution. |
Issue Type: SQL injection
CVSSv3 Severity | Security Bug | Description |
9.1 | Injection vulnerability through email templates. | An authenticated user with access to email templates can send malicious SQL queries and obtain access to sensitive information stored in the database. |
9.1: | SQL injection through a marketing account with access to email templates variables. | A user with marketing privileges can execute arbitrary SQL queries in the database when accessing email template variables. |
8.8 | SQL injection vulnerability when accessing group data in email templates. | A user with store manipulation privileges can execute arbitrary SQL queries by accessing the database connection through group instance in email templates. |
8.5 | SQL injection in ‘Catalog Products List’ widget leading to privilege escalation. | An authenticated user with privileges to an account with permission to edit newsletter templates can exfiltrate the Admin login data and reset their password, effectively performing a privilege escalation. |
There were many critical issues addressed, including Arbitrary File Deletion, XML External Entity Injection (XXE), Server-side Request Forgery, Disclosure of Critically Sensitive Data, etc.. You can learn more details directly from Magento, here. Keep in mind, when crucial security updates are ignored you are placing your Magento store and customers at risk. Listed below, you will learn what measures need to be taken to insulate yourself from the risks these threats pose:
- Apply relevant security patches and keep your version of Magento Commerce current:
- For Magento 2.3.1 — Install the MDVA-22979_EE_2.3.1_v1 patch now and then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible
- For Magento 2.3.2 — Install the MDVA-22979_EE_2.3.2_v1 patch now, then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible
- Instructions to Install the patch:
- For Magento Cloud customers: Ensure you are on, or have upgraded to, the latest version of ece-tools (2002.0.22 or higher). In either case, redeploy your entire instance and the patch will be installed automatically.
- For On-premise Stores: Have your Developer install the necessary patched for your current version of Magento.
- Check your website and server for any signs of compromise, especially the processes that are running in memory.
- Audit all administrative and third-party user accounts (including your application accounts at support.magento.com and accounts.magento.com). In particular, carefully review any administrative logins from unknown IP’s or newly created administrative accounts that are unrecognized.
- Reset all administrative user account passwords and rotate all SSH access keys.
- Remove any unknown or unused accounts you identify.
- Contact your system administrator and request they run Magento’s security scan to uncover and identify any site vulnerabilities. To learn more about Magento Security scan, visit Magento.com
- Magento advises reviewing existing protocols to determine whether additional steps may be necessary to protect your Magento deployment from potential risks.
Failing to follow security best practices, as defined above may place your Magneto store at risk for customer data breach and subsequent credit card fraud. If you need professional assistance to secure your Magento store consult now with our certified Magento experts.