A recently patched SQL injection flaw affecting the popular open-source e-commerce platform Magento is being actively exploited by attackers, so if you haven’t implemented the provided security update or patch, now is the time to do it.
Magento devs, if you haven't patched already, do it ASAP. We've already seen attempts at two of our shops using the published POC. We're safe because we already patched every shop on Wednesday. https://t.co/5nZjMGBEUu
— Peter Jaap Blaakmeer (@PeterJaap) March 29, 2019
More about Magento PRODSECBUG-2198
The flaw still doesn’t have a CVE number, but is identified as PRODSECBUG-2198 by the Magento security team.
“An unauthenticated user can execute arbitrary code through an SQL injection vulnerability, which causes sensitive data leakage,” the team explained.
The bug affects Magento Open Source prior to 220.127.116.11, Magento Commerce prior to 18.104.22.168, Magento 2.1 prior to 2.1.17, Magento 2.2 prior to 2.2.8, and Magento 2.3 prior to 2.3.1.
Administrators of Magento-based sites are advised to upgrade to Magento Open Source 22.214.171.124 or Magento Commerce 126.96.36.199 (if not, to implement the SUPEE-11086 bundle of patches), Magento 2.2.8, or Magento 2.3.1.
“Cloud customers can upgrade ECE-Tools to version 2002.0.17 to get this vulnerability in core application patched automatically. Infrastructure team added measures to block any currently known ways to exploit the vulnerability by adding additional WAF rules, which are deployed globally,” the team pointed out.
“Even though we have blocked known ways to exploit vulnerability, we strongly recommend to either upgrade ECE-Tools or apply the patch through m2-hotfixes.”
PRODSECBUG-2198 was discovered and reported by Charles Fol, a security engineer at Ambionics, and the security updates and patches were released two weeks ago (on March 26).
The exploitation attempts have apparently been fueled by the publication of a PoC exploit and additional vulnerability information a few days after the patches’ release. But, it’s also possible for aspiring attackers to reverse-engineer the patch to create a working exploit (as did Sucuri, for internal testing and monitoring).
Aside from this flaw, the security updates provided by Magento fixed another 36 issues, some of them critical.