Blog Post

Magento supee-11155

Magento Security Patch SUPEE-11155

Posted on

On June 24th, 2019 Magento released updates for M1 and M2 versions, for both Open Source and Commerce releases. Magento included considerations for version upgrades or a bare minimum security patch across their offerings. There are confirmed multiple critical security issues and functional fixes included in this new release.

The new security patch Magento SUPEE-11155 and versions Magento Commerce 1.14.4.2 and Open Source 1.9.4.2 comes with multiple security enhancements like close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

  • RCE stands for ‘Remote Code Execution’ that allows an attacker to access your Magento store, make changes regardless of where you are located.
  • XSS which stands for ‘Cross-site scripting’ where attackers can place malicious scripts onto secure and trusted websites to visitors of your website.
  • Lastly, the patch will help close CSRF attacks which stands for ‘Cross-site request forgery’. These attacks trick the user’s browser into performing actions that are set up by the attacker. These actions can include transferring funds or changing of an email address.

These are very serious vulnerabilities and should be patched immediately. More information on all the changes in 1.14.4.2 and 1.9.4.2 releases is available in the Magento Commerce and Magento Open Source release notes.

Patches and upgrades are available for the following Magento versions:
– Magento Commerce 1.9.0.0-1.14.4.1: SUPEE-11155 or upgrade to Magento Commerce 1.14.4.2.
– Magento Open Source 1.5.0.0-1.9.4.1: SUPEE-11155 or upgrade to Magento Open Source 1.9.4.2

Install Magento SUPEE-11155 using SSH:

You need to have an SSH access to perform these method. Contact your hosting provider if you don’t know how to set up SSH.

Download Magento SUPEE-11155 Patch files for your Magento Version from here.

Upload the patch into your Magento root directory and run the appropriate SSH command:

For .sh file extension:
sh patch_file_name.sh
Example:
sh PATCH_SUPEE-11155_CE_1.9.2.4_v3-2019-06-18-08-15-14.sh
For .patch file extension:
patch —p0 < patch_file_name.patch

Note: Once the patch has been installed or reverted, refresh the cache in the Admin under “System > Cache Management” so that the changes can be reflected. We strongly recommend that you test all patches in a test environment before taking them live.

Ideally you should have your developer apply the patches. Alternatively, you can get in touch with us and we will apply for you. (Note: We will backup your site before applying the patches and request you to check and confirm that all is well. If not the best we can do is to roll back the patches and do the fix).