Magento recently released a number of security patches for both Magento 1 and 2. For Magento 1, the patch is named SUPEE-11086. For Magento 2, they issued a specific patch for just the SQL injection attack named PRODSECBUG-2198.

These patches and upgrades address a number of issues. Most of the issues require some form of admin access either to the admin panel or an API before they can be exploited. However, the SQL injection attack can be exploited remotely by anyone, as it does not require any authentication. This makes it quite dangerous, and it needs to be patched right away.

Proof of Concept (POC)

Already a security company has released a proof of concept along with code that shows how to exploit this vulnerability for any Magento 2.2.x or 2.3.0 store. The SQL injection does not allow the hackers to write into Magento, but they can read data, including encrypted admin passwords. With the encrypted hash, hackers could try to crack the admin password, and possibly gain access to a Magento store.

ALL LexiConn servers are currently protected against this specific attack vector for Magento 2 stores. This is a stop-gap measure only, as the SQL injection may be able to be exploited via other means and different URLs, including through potentially vulnerable third party modules / extensions. The proper way to address this is to have the patch applied.

Patching

For Magento 1 store owners, applying the full SUPEE-11086 patch can cause some issues, and it requires that every other recent patch is already applied. This can be a challenge and requires thorough testing after the patch is applied.

Another option is to just apply the one line SQL injection patch, which we at LexiConn can do manually. It is safe to apply, and will fix the remote attack fully.

For Magento 2 store owners, applying PRODSECBUG-2198, which is also a one line fix, is the best thing to do. However, since some merchants use version control, others have developers that maintain code, etc… we cannot mass apply the patch.

*** For any hosted client of LexiConn (Magento 1 or 2), let us know you’d like the SQL injection patch applied to your store, and we can apply just that fix. We can apply it, and you can test the site afterwards. We do not anticipate any issues from having just this one line fix applied to any store.

…

We highly recommend that all Magento merchants apply the SQL injection fix as soon as possible. It is likely that more attack avenues will open up as hackers start to dig through the code and reverse engineer the patch.