This article has been updated on April 13 2020 with a new script called DB_CLEANUP_SCRIPT_v2. Please use the DB_CLEANUP_SCRIPT_v2 script to clear pre-existing failed login data in additional tables. You need to use DB_CLEANUP_SCRIPT_v2, even if you have run DB_CLEANUP_SCRIPT_v1 previously to help ensure additional tables are cleaned up.
This article explains how to remove pre-existing failed login credentials from the Magento Commerce and Magento Commerce Cloud database.
For versions 2.2.10+ and 2.3.3+ you only need to run the script.
For older versions 2.3.0-2.3.2-p2 you need to apply a patch to stop logging and run the script to remove pre-existing failed login credentials.
Affected products and versions
- This issue affects Magento Open Source and Magento Commerce (on-premise and Cloud) for 2.2.x, 2.3.x and earlier versions.
- Magento 1.x deployments are not affected.
Issue
In 2019 a bug was reported to Magento that allowed failed login attempts to be logged in a database in Magento 2.3.x and 2.2.x. In response, Magento included a fix for this issue in Magento 2.3.3 and 2.2.10 (released October 2019). While the fix for that bug stopped the logging of failed login attempts, information collected prior to updating to these current versions may still exist. This most recent fix clears the login attempts information that was previously logged, if any.
CVE-2019-8118 is described and tracked in Common Vulnerabilities and Exposures.
Solution
Whether you need to use the script and the patch, or just the script, depends on your version of Magento:
Magento Commerce and Magento Open Source versions 2.3.0-2.3.2-p2
For these versions you must apply the patch and run the database clean-up script to end continued logging and eliminate logs.
- Run the composer patch to stop logging. This patch is attached to the article. To download it, scroll down to the end of the article and click the file name, or click the following link CLEANUP_PATCH_COMPOSER_2.3.2.patch. For instructions on how to apply the patch, see How to apply a composer patch provided by Magento.
- Now run the script to clean the database of the pre-existing failed login attempts. This script is attached to the article. To download it, scroll down to the end of the article and click the file name, or click the following link DB_CLEANUP_SCRIPT_v2.php.
Please refer to the How to run the script section for instructions.
Magento Commerce and Magento Open Source versions 2.3.3 and above/2.2.10 & above
For these versions only run the below script to clear old logs (logging was ended previously for these versions through a fix released in Oct 2019). This script is attached to the article. To download it, scroll down to the end of the article and click the file name, or click the following link DB_CLEANUP_SCRIPT_v2.php.
Please refer to the How to run the script section for instructions.
How to run the script
Please follow the below instructions to run the script:
- Put
DB_CLEANUP_SCRIPT_v2.phpin the root directory of the Magento installation (in the same directory as app which containsapp/bootstrap.php). - Run this command in the terminal:
php DB_CLEANUP_SCRIPT_v2.phpand it will begin the database clean up process.
If you encounter any issues while running the script please submit a support ticket or email us at security@magento.com.
Attached files