Altered RPMs notice from cPanel servers after CVE patch
I've been patching servers that are vulnerable to CVE-2016-3714, which involves exploiting vulnerable ImageMagick coders to run code. cPanel already patched its inbuilt version. However, since that change, additional vulnerable coders have been discovered. Because of this, I also patched the policy.xml for cPanel:
/usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml
Here is the ones in the cPanel fix:
I am adding these lines:
However, it turns out that cPanel does not like my modification as it changes the files from the state they are upon installation. I could set the RPM to unmanaged, but that would prevent future updates from cPanel for its built in ImageMagick. How can I: - Stop the notification emails for check_cpanel_rpms and ImageMagick - Without disabling the emails for check_cpanel_rpms entirely, just for ImageMagick - Without making the RPM unmanaged, because it then won't receive future updates - Without removing the additional policy rules, because that will reintroduce access to the vulnerable coders I want the policy.xml to receive future updates as well, so that when the cPanel developers add the missing policy rules, it will also update the policy.xml. I have a feeling that some of these goals will conflict with each other due to how cPanel works. Additionally, I gave the assumption that cPanel will add those additional policy rules to the policy.xml; I do not however have anything to base this assumption on, so I would appreciate some insight as to whether this is in the works or not. What are some workable approaches in this situation?
I am adding these lines:
However, it turns out that cPanel does not like my modification as it changes the files from the state they are upon installation. I could set the RPM to unmanaged, but that would prevent future updates from cPanel for its built in ImageMagick. How can I: - Stop the notification emails for check_cpanel_rpms and ImageMagick - Without disabling the emails for check_cpanel_rpms entirely, just for ImageMagick - Without making the RPM unmanaged, because it then won't receive future updates - Without removing the additional policy rules, because that will reintroduce access to the vulnerable coders I want the policy.xml to receive future updates as well, so that when the cPanel developers add the missing policy rules, it will also update the policy.xml. I have a feeling that some of these goals will conflict with each other due to how cPanel works. Additionally, I gave the assumption that cPanel will add those additional policy rules to the policy.xml; I do not however have anything to base this assumption on, so I would appreciate some insight as to whether this is in the works or not. What are some workable approaches in this situation?
-
Here is the ones in the cPanel fix:
*Here are The cPanel forums don't let me edit my messages ("Your content can not be submitted. This is likely because your content is spam-like or contains inappropriate elements. Please change your content or try again later. If you still have problems, please contact an administrator."). This is probably for the same reason that I am prevented from setting a profile picture or changing my username.0 -
Hello, It's not possible to modify a file associated with a RPM provided by cPanel without the RPM check noticing the change. You will need to set this RPM to unamanged: # rpm -qf /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml cpanel-ImageMagick-6.9.0-4.cp1154.x86_64
Or, you could setup a post cPanel update event hook to modify the policy file after each cPanel update, and setup an email filter to discard notifications about that specific RPM. Thank you.0 -
Hello, It's not possible to modify a file associated with a RPM provided by cPanel without the RPM check noticing the change. You will need to set this RPM to unamanged:
# rpm -qf /usr/local/cpanel/3rdparty/etc/ImageMagick-6/policy.xml cpanel-ImageMagick-6.9.0-4.cp1154.x86_64
Or, you could setup a post cPanel update event hook to modify the policy file after each cPanel update, and setup an email filter to discard notifications about that specific RPM. Thank you.
Thanks, I will just let cPanel's RPM management sort it out.0
Please sign in to leave a comment.
Comments
3 comments