Nginx PHP Remote Code Execution CVE-2019-11043 security flaw

eva2000 · Oct 26, 2019

Folks using Nginx + PHP-FPM should upgrade their PHP versions ASAP for a reported PHP Remote Code Execution CVE-2019-11043 security flaw announced and outlined on PHP's bug tracker at https://bugs.php.net/bug.php?id=78599 . Fixed PHP versions are 7.3.11, 7.2.24 and 7.1.33. Folks on PHP 7.0.33 or 5.6.40 are vulnerable but they're EOL versions no longer supported. Unfortunately, not all linux distributions have released the updated PHP versions or patched their versions as yet so keep checking for updates.

For Centmin Mod LEMP 123.09beta01 and higher users, I have already outlined how you can update your PHP versions and I have also backported the security fixes to PHP 7.0.33 and 5.6.40 EOL versions too https://community.centminmod.com/th...y-updates-backported-php-7-0-33-5-6-40.18531/.

Upgrade ASAP !

\o/ · Oct 28, 2019

eva2000 said:
Folks using Nginx + PHP-FPM should upgrade their PHP versions ASAP

It might be relevant to note that the problem is not directly related to nginx, so the update is recommended to anyone running any web server with PHP-FPM.

eva2000 · Oct 28, 2019

reason why it's nginx related is due to how nginx may use the fastcgi_split_path nginx directive and how php-fpm inteprets it https://threatpost.com/php-bug-rce-nginx-servers/149593/

“In particular, [the bug can be exploited] in a fastcgi_split_path directive and a regexp trick with newlines,” according to Wallarm security researcher Andrew Danau, who found the bug. “Because of %0a character, NGINX will set an empty value to this variable, and fastcgi+PHP will not expect this….[as a result], it’s possible to put [in] arbitrary FastCGI variables, like PHP_VALUE.”

Another security researcher participating in the CTF exercise, Emil Lerner, offered more details in the PHP bug tracker: “The regexp in `fastcgi_split_path_info` directive can be broken using the newline character (in encoded form, %0a). Broken regexp leads to empty PATH_INFO, which triggers the bug,” he said.

bevans49 · Oct 29, 2019

Thanks, updated to 7.2.24 this morning.

pierce · Oct 31, 2019

When doing an update on multiple servers would it be considered to do something like:

cmupdate --yum-update=yes --nginx-update=1.15.5 --php-update=7.3.11

And ask the questions up front?

Asking for a friend...

\o/ · Oct 31, 2019

What does cmupdate do?

eva2000 · Nov 1, 2019

pierce said:
When doing an update on multiple servers would it be considered to do something like:

cmupdate --yum-update=yes --nginx-update=1.15.5 --php-update=7.3.11

And ask the questions up front?

Asking for a friend...

cmupdate is Centmin Mod 123.09beta01's way of updating Centmin Mod code via git https://community.centminmod.com/threads/add-usr-bin-cmupdate-command-in-123-09beta01.13327/. But there no such command flags. It's just

Code:

cmupdate

for nginx and php-fpm updates it's centmin.sh menu option 4 and 5 respectively, example of php-fpm update is linked in above thread too and outlined at https://community.centminmod.com/th...y-updates-backported-php-7-0-33-5-6-40.18531/

pierce · Nov 1, 2019

eva2000 said:
cmupdate is Centmin Mod 123.09beta01's way of updating Centmin Mod code via git https://community.centminmod.com/threads/add-usr-bin-cmupdate-command-in-123-09beta01.13327/. But there no such command flags. It's just

Code:

cmupdate

for nginx and php-fpm updates it's centmin.sh menu option 4 and 5 respectively, example of php-fpm update is linked in above thread too and outlined at https://community.centminmod.com/th...y-updates-backported-php-7-0-33-5-6-40.18531/

I totally appreciate that but waiting 10-15 minutes for each to process being somewhat chained to the computer waiting for them to update is dull.

It would be nice to do multiple updates all at once rather than 1 update at a time

\o/ · Nov 1, 2019

I understand. Never used Centmin Mod - I prefer to know what's happening with my configuration...

pierce · Nov 1, 2019

\o/ said:
I understand. Never used Centmin Mod - I prefer to know what's happening with my configuration...

I just want to get on with it. I've spent years dealing with configs and tweaking etc.

New server, 15 minutes later a fully functional lnmp? Priceless

\o/ · Nov 1, 2019

Depends on your software stack and requirements, I guess... I can't stand CentOS.

eva2000 · Nov 1, 2019

pierce said:
I totally appreciate that but waiting 10-15 minutes for each to process being somewhat chained to the computer waiting for them to update is dull.

It would be nice to do multiple updates all at once rather than 1 update at a time

yeah true. Though you don't get performance that Centmin Mod Nginx and PHP-FPM can bring which can be between 25-40% more than distro provided Nginx and PHP-FPM binaries.

compile time depends on speed of your server, faster cpu / higher cpu clocks and more cpu threads = faster compile time. Usually my nginx and php-fpm updates only take 90-120 seconds or 1.5 to 2 minutes.

Nginx PHP Remote Code Execution CVE-2019-11043 security flaw

eva2000

Habitué

\o/

an oddity

eva2000

Habitué

bevans49

Aspirant

pierce

Habitué

\o/

an oddity

eva2000

Habitué

pierce

Habitué

\o/

an oddity

pierce

Habitué

\o/

an oddity

eva2000

Habitué