On March 28th, a set of vulnerabilities for Magento Core were disclosed, one of which can allow an unauthenticated visitor to execute a SQL injection attack. These vulnerabilities are addressed in the most recent Magento security update and affect the following versions:
- 1.9 (fixed in 220.127.116.11)
- 1.14 (fixed in 18.104.22.168)
- 2.1 (fixed in 2.1.17)
- 2.2 (fixed in 2.2.8)
- 2.3 (fixed in 2.3.1)
What Does This Mean?
A SQL injection attack can allow malicious actors to make requests against your website which execute queries on the Magento database. These requests can potentially read or write to the Magento database, allowing unauthorized access or changes such as adding an administrative user or reading hashed passwords, encryption keys and encrypted credit card data.
This particular vulnerability is troubling due to the fact that it requires no authentication and any website visitor can potentially execute a malicious SQL injection request against your web store.
How Is Nexcess Handling This Disclosure?
Soon after receiving notification about this vulnerability, our System Operations team immediately started investigating mitigation strategies.
We found that our existing Web Application Firewall (WAF) rules were successfully mitigating a proof of concept of this vulnerability. However, there was room for improvement and possible conditions under which the vulnerability could still be taken advantage of.
Our System Operations team created an improved set of WAF rules for this vulnerability and successfully deployed them across our managed platform on the morning of March 29th.
To be clear, this mitigation only filters the currently known attack strategies for this vulnerability. It still remains critically important that you patch your Magento installation as soon as possible.
What Should I Be Doing?
While we’ve implemented the mitigation strategy, we would highly recommend still ensuring that you update your Magento installation to the newest version or that you patch (via the patch “PRODSECBUG-2198”, which is available here) your site to ensure that you’re completely protected.
Additionally, we’d recommend that you or your development team review your existing codebase to ensure that no malicious code was injected into your site prior to this vulnerability is disclosed.
As always, if you have any issues with doing so on your own or run into any problems there, please reach out to our Support team directly and we’ll do our best to help.