Magento Security Updates Fix Over 30 Bugs Including an Unauthenticated Remote Code Execution Vulnerability (PRODSECBUG-2198)
Magento Commerce and Open Source advisory provides fixes for RCE, XSS, SQLi, and XSRF vulnerabilities.
背景
Magento has released a security advisory for 30+ vulnerabilities, including an unauthenticated Remote Code Execution (RCE) vulnerability which Magento is highly recommending users patch as soon as possible. Magento is an e-commerce management tool widely used by many online platforms. With the frequency of Magecart attacks, proper e-commerce security is critical for any modern business.
分析
In the advisory, “PRODSECBUG-2198” is a high severity unauthenticated SQL injection vulnerability that could allow an attacker to run code on a target Magento instance, and the advisory lists that this could lead to sensitive data leakage. Data leakage for e-commerce platforms involve personal and financial information, and Sucuri reports that this attack is “Very Easy” to execute. As of March 28, there were no specific details or publicly available exploits. Magento is recommending customers upgrade to protect their stores.
Update March 29: Ambionics Security has released a technical analysis of the flaw with additional details and a working proof of concept (PoC) that would allow for extraction of admin sessions or password hashes.
解决方案
Magento site owners should update to the patched versions as soon as possible. PRODSECBUG-2198 has been patched in the following Magento releases:
- Magento Open Source 1.9.4.1
- Magento Commerce 1.14.4.1
- Magento Commerce 2.1.17
- Magento Commerce 2.2.8
- Magento Commerce 2.3.1
识别受影响的系统
A list of plugins to identify these vulnerabilities will appear here as they’re released.
获取更多信息
加入 Tenable Community 中的 Tenable 安全响应团队
了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息,全面管理现代攻击面。
Get a free 60-day trial of Tenable.io Vulnerability Management.
相关文章
- Threat Intelligence
- Threat Management
- Vulnerability Management