Skip to main content

ImageMagick ?CVE-2016–3714

Avensen
There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild. [Removed URL]

Comments

3 comments

Date Votes
  • cPanelMichael
    Hello, We are handling this report with internal case CPANEL-5973. I'll update this thread with more information as it becomes available. Thank you.
    0
  • lorio
    There are issues with ImageMagick There are multiple vulnerabilities in ImageMagick, a package commonly used by web services to process images. One of the vulnerabilities can lead to remote code execution (RCE) if you process user submitted images. The exploit for this vulnerability is being used in the wild.
    A policymap is recommended till a fix is available:

    What is the recommendation for cpanel? The policy is placed (Centos 6) here: /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml A gobal policy seems not to be used by default.
    0
  • cPanelMichael
    Edit: Our security team has also created a thread on this topic with additional details at: cPanel Security Team - CVE-2016-3714 ImageMagick Hello, A workaround for CVE-2016-3714 is now available in the form of an automatic repair script. You can apply the workaround by running the following command:
    /scripts/autorepair mitigate_imagemagick_cve
    Or, if you prefer to use Web Host Manager, you can append "/scripts2/autofixer" to your URL after logging in:
    https://1.2.3.4:2087/cpsess123456789/scripts2/autofixer
    Then, submit the following under "Enter Script Name":
    mitigate_imagemagick_cve
    In addition, the vulnerability is mitigated with CPANEL-5973: Fixed case CPANEL-5973: Update cpanel-ImageMagick to 6.9.0-4.cp1154. Systems using a version 56 build tier can update cPanel to 56.0.13 via the "/scripts/upcp" command or via "WHM >> Upgrade to Latest Version". Systems using a version 54 build tier can update cPanel to 54.0.23 via the "/scripts/upcp" command or via "WHM >> Upgrade to Latest Version". CloudLinux users should review the following blog post: ImageMagick Filtering Vulnerability - CVE-2016-3714 New builds are planned for cPanel versions 11.52 and 11.50, but the time frame on those releases is not yet available. Additional information on CVE-2016-3714 is available at the following URL: ImageMagick Filtering Vulnerability - CVE-2016-3714 - Red Hat Customer Portal Thank you.
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post