SUPEE 11219 not installed, yet daily security scan...

aaron18 · ‎10-10-2019

PATCHES
SUPEE-11219
Oct 8, 2019
SUPEE-11219, Magento Commerce 1.14.4.3 and Open Source 1.9.4.3 contain multiple security enhancements that help close remote code execution (RCE), cross-site scripting (XSS), cross-site request forgery (CSRF) and other vulnerabilities.

aaron18 · ‎10-10-2019

I realize this patch is very new. But how long should we expect a SUPEE to be out, and not installed, before it triggers an alert on the scan? Can the the scan be trusted? I have seen this before with lack of installed SUPEEs not triggering any sort of alert.

Manish Mittal · ‎10-10-2019

Hello @aaron18

Depends which scanner you are using for audit. So based on that you can decide scan is trustable or not. Use good scanner i.e here you can find Magento official tool:

https://magento.com/security

Manish Mittal
https://www.manishmittal.com/

aaron18 · ‎10-10-2019

Sorry, wasn't clear. I am talking about the Magento tool (https://magento.com/security). Seems like oftentimes obvious missing patches don't trigger and failed scan or alert. Here is what mine said this morning...

Magento Security Scan:

No New Issues Detected

We have finished a Magento Security Scan of your site:

...

and we have not noticed any new threats or security issues. Congratulations!

Note: While we strive to perform as comprehensive a scan as possible, we cannot identify all issues. Please note that issues that existed prior to the initial scan, and atypical attacks, might escape our scan. Always update your Magento installation and server, as well as follow Magento Security Best Practices.

Thanks,

The Magento Security Team

You are receiving this email because you signed up for the Magento Security Scan service. Unsubscribe.
If you've received it in error, please contact us at securityscan@magento.com

Mukesh Tiwari · ‎10-10-2019

Hi @aaron18

I think it may take some time for the Mageno security scanner to include feature to test latest patches.
@msavich may be able to answer your question.

---
Problem Solved Click Accept as Solution!:Magento Community India Forum

aaron18 · ‎10-10-2019

I wonder if there is anyone from Magento that can tell us how long it takes, so we know when it can be trusted. I ran into this with Magereport. It's best effort and sometimes they just don't always test for critical updates. I stopped using it because I couldn't trust it. Same with Magento Security Scan?

msavich · ‎10-10-2019

We are working on it.

The new checks are planned to publicly appear next Thursday.

aaron18 · ‎10-14-2019

Still not showing up in the scan. Our site still says "No New Issues Detected". Looks like the Magento Security Scan cannot be trusted.

aaron18 · ‎10-15-2019

Sorry didn't see your response from last Thursday. Looks like scanner should catch up this week. Thanks.

aaron18 · ‎10-17-2019

Looks like the work isn't finished yet? Still missing any notification that 11219 is not present.

SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"

Re: SUPEE 11219 not installed, yet daily security scan says "No New Issues Detected"