High Threat Security Alert (A19-10-08): Vulnerability in NGINX with PHP Installation


 

Published on: 28 October 2019

  
  

Description:

A vulnerability has been found in the PHP FastCGI Process Manager (PHP-FPM) for NGINX HTTP servers. A remote attacker may send a specially crafted URL to an affected system to exploit the vulnerability.

Please note that PHP version 7.1 will reach its end-of-life on 1.12.2019 and no security updates will be provided after that. In addition, support for older PHP versions (including version 7.0 and 5.x) were ceased. Users should arrange upgrading the PHP to the latest version or migrating to other supported technology.

 

Affected Systems:

The following PHP versions installed on NGINX HTTP servers are affected:

  • PHP 7.1 prior to 7.1.33
  • PHP 7.2 prior to 7.2.24
  • PHP 7.3 prior to 7.3.11

 

Impact:

Successful exploitation could lead to arbitrary code execution on an affected system.

 

Recommendation:

PHP has released new versions to address the issue and they can be downloaded at the following URLs:

  • PHP version 7.1.33
    https://www.php.net/downloads.php#v7.1.33

  • PHP version 7.2.24
    https://www.php.net/downloads.php#v7.2.24

  • PHP version 7.3.11
    https://www.php.net/downloads.php#v7.3.11

Administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

https://bugs.php.net/bug.php?id=78599
https://www.php.net/ChangeLog-7.php#7.1.33
https://www.php.net/ChangeLog-7.php#7.2.24
https://www.php.net/ChangeLog-7.php#7.3.11
https://www.php.net/supported-versions.php
https://nextcloud.com/blog/urgent-security-issue-in-nginx-php-fpm/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043

 



Tag: NGINX HTTP Server , PHP
Tags