Hot fix available for CVE-2019-8118

March 24, 2020

OVERVIEW 

In 2019, a bug related to Magento 2.3.x and 2.2.x that allowed failed login attempts to be logged in a database table was reported to Magento. In response, Magento included a fix for this issue (CVE-2019-8118) in Magento 2.3.3 and 2.2.10 (released October 2019). While the fix for that bug stopped the logging of failed attempts, information that was collected prior to updating to these current versions may still exist. This most recent fix clears information from any login attempts that were previously logged.  

This type of information would be accessible only if a store was compromised by other means. Regardless, we recommend installing this most recent patch as soon as possible. 

CVE-2019-8118 is described and tracked in Common Vulnerabilities and Exposures

EXPLOIT 

We are not aware of exploitation for the issue addressed in this update.  Additionally, this type of information would be accessible only if the store were compromised by other means. Regardless, we recommend installing this most recent patch as soon as possible. 

ACTION 

Magento advises customers of potentially affected deployments to take immediate action by updating Magento installations with the latest patch. For complete details and instructions, see Remove failed login attempts from the database

HOW DO I KNOW IF I’M AFFECTED? 

This issue affects Magento Open Source and Magento Commerce (on-premise and Cloud) for 2.3.x, 2.2.x, and earlier versions. Merchants running Magento 1.x deployments are not affected. 

REFERENCES 

As most exploits tend to target installations that are not up to date with the latest security updates, we always recommend that Magento merchants install security updates as soon as they become available.  

In addition to continually updating the software to include the latest security enhancements, Magento offers a free scanning tool to all Magento merchants to help them identify missing updates, potential vulnerabilities, and other critical issues that might undermine the security of their Magento storefront.  

Merchants are also encouraged to adhere to the guidance provided in Magento Commerce Security Best Practices. This online resource provides recommendations to merchants and encourages them to work with their own security team to help determine the best security strategy to fit their needs and their business.  

If you have additional questions, please reach out to customer support. See Submit a support ticket