OptionsBleed CVE-2017-9798
Greetings,
There was a pretty severe CVE released yesterday that pertains to the Apache httpd project. cPanel is preparing to release updates today to address these CVE's in both EasyApache 3 (Apache 2.2 and 2.4) and EasyApache 4 (Apache 2.4).
Note, there will be some mild side effects from securing this vulnerability. If a user is attempting to register a new method via their .htaccess file, this will now fail, and they will receive errors such as:
/home/user/public_html/.htaccess: Could not register method 'abcxyz' for
These methods should instead be loaded inside httpd.conf, via custom user includes for that user.
Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation
I'll update this thread once we've released the updates.-
Jacob, Can you give a better example of what you mean by "register a method" ? Can you give an example of an .htaccess file that would be problematic? I would like to be able to wrap my head about what could be wrong, and when, and for whom. Without knowing more, it sounds like something that would rarely be a problem because a typical user wouldn't be "registering a new method". But since I really don't know what that means, I can't determine if it would be a rare occurrence or not. Just trying to understand if this is going to be a support nightmare or just a very rare inconvenience for a web host. Thanks Mike 0 -
Hi Mike, So, a legit method call would be something like: order deny,allow deny from all allow from all order deny,allow deny from all
These METHODS already exist in the global namespace of Apache (GET, POST, PUT, DELETE). Let's say a user was trying something funky, they might put:allow from all
Since the method 'abczsdf' does not exist already in the global, Apache will now throw an error because it's no longer allowed to create those methods. I hope this helps!0 -
Jacob, Thank you -- perfect eplanation. I think I'm safe -- and probably most are. I know none of my people would be trying to create methods that didn't already exist. I appreciate your response! Mike 0 -
We have released updates to both EA3 and EA4 to patch this CVE. Please update your systems. 0 -
Hello, As mentioned in the previous post, patches are now available for both EasyApache 3 and EasyApache 4. For systems using EasyApache 4, you can update Apache by selecting Run System Update in the : ea-apache2 [LIST] - 2.4.27-8 - ZC-2877: Patch core for htaccess method registrations
For systems using EasyApache 3, you can update Apache by browsing to "WHM Home >> Software >> EasyApache 3", or by using the /scripts/easyapache command. Documentation: as part of EasyApache 3.34.17: Implemented case EA-6827: Patch Apache 2.2 and 2.4 for httpd optionsbleed
Thank you.0 - 2.4.27-8 - ZC-2877: Patch core for htaccess method registrations
-
Hello, As mentioned in the previous post, patches are now available for both EasyApache 3 and EasyApache 4. For systems using EasyApache 4, you can update Apache by selecting Run System Update in the : For systems using EasyApache 3, you can update Apache by browsing to "WHM Home >> Software >> EasyApache 3", or by using the /scripts/easyapache command. Documentation: as part of EasyApache 3.34.17: Thank you.
Just updated, but said nothing, System update process has started. No packages marked for update System update process has finished.
My WHM current version: v66.0.230 -
Hi, Can you run the following? rpm -qa | grep ea-apache24-2.4.
If you're running 'ea-apache24-2.4.27-7.8.1', you have the update. If not, you may need to do ayum clean all ; yum update0 -
rpm -qa | grep ea-apache24-2.4.
ea-apache24-2.4.27-8.8.1.cpanel.x86_640 -
Hi, You have the update already :) 0 -
Hi, You have the update already :)
Sounds good. It is safe now. Thanks for the info! :P0
Please sign in to leave a comment.
Comments
10 comments