For customers who have already on the newest version of Magento Commerce, we sadly to inform you that the Magento team have identified a security vulnerability you need to be aware of.
On October 2019, Magento released an update for Magento 2.3.3. One of the issues addressed in this update mitigates a critical vulnerability that allows remote code execution through a crafted Page Builder template - CVE-2019-8144.
How to fix
For different versions of Magento Commerce
- For Magento 2.3.1— Install the MDVA-22979_EE_2.3.1_v1 patch now and then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible
- For Magento 2.3.2 — Install the MDVA-22979_EE_2.3.2_v1 patch now, then schedule your upgrade to 2.3.3 or 2.3.2-p2 as soon as possible
- Instructions to Install the patch:
- For Magento Cloud customers: Ensure they are on or have upgraded to, the latest version of ece-tools (2002.0.22 or higher). In either case, redeploy your entire instance and the patch will be installed automatically.
For On-premise customers
Download and install the patch from the My Account/Downloads tab if you’re on 2.3.1 or 2.3.2 2.
So please quickly check the performance of the page and server for signs of compromise. You should restart the server to remove any activities that are running in memory only.
Besides, it’s important to review all administrative and third-party user accounts (including application accounts at support.magento.com and accounts.magento.com). You should pay extra attention to any administrative logins from unknown IP’s or newly created administrative accounts that are unrecognized.
For more safety, you can:
- Reset all administrative user account passwords
- Rotate all SSH access keys.
- Remove any unknown or unused accounts you identify.
Contact Magenest for more support and problem fixing!