Facebook
TwitterRob Taylor
Basic Pleskian
Hi All
This is not strictly Plesk related but I imagine it affects any Plesk server running on CentOS so really just looking for someone to confirm my understanding of it.
I am running Plesk 17.5.3 Update #54 on CentOS 7.5.1804, with Apache / HTTPD 2.4.6-80.el7 (latest from repo).
We have recently ran some security scanning software against our Plesk servers, one of the issues highlighted was for CVE-2017-15715 which relates to a vulnerability with the Apache 'FilesMatch' directive and new lines, info can be found here:
CVE-2017-15715 - Red Hat Customer Portal
Redhat (therefore CentOS) say that by default the 'FilesMatch' directive is not enabled so if my understanding is correct they have not backported the patch released in the upstream version of Apache 2.4.33 to the CentOS Repo version.
Plesk (I think or maybe just the default Apache / PHP installation) uses the 'FileMatch' directive to set the PHP handler in /etc/httpd/conf.d/php.conf.
So essentially, the current version of Plesk on the current version of CentOS 7 is vulnerable to this and there is no immediate / practical fix or workaround but to exploit you would require access to create / rename files.
Can someone just confirm my understanding is correct and that the only real solution (other than disabling PHP) is to wait for the next version upgrade of Apache?
Thanks
Rob
This is not strictly Plesk related but I imagine it affects any Plesk server running on CentOS so really just looking for someone to confirm my understanding of it.
I am running Plesk 17.5.3 Update #54 on CentOS 7.5.1804, with Apache / HTTPD 2.4.6-80.el7 (latest from repo).
We have recently ran some security scanning software against our Plesk servers, one of the issues highlighted was for CVE-2017-15715 which relates to a vulnerability with the Apache 'FilesMatch' directive and new lines, info can be found here:
CVE-2017-15715 - Red Hat Customer Portal
Redhat (therefore CentOS) say that by default the 'FilesMatch' directive is not enabled so if my understanding is correct they have not backported the patch released in the upstream version of Apache 2.4.33 to the CentOS Repo version.
Plesk (I think or maybe just the default Apache / PHP installation) uses the 'FileMatch' directive to set the PHP handler in /etc/httpd/conf.d/php.conf.
So essentially, the current version of Plesk on the current version of CentOS 7 is vulnerable to this and there is no immediate / practical fix or workaround but to exploit you would require access to create / rename files.
Can someone just confirm my understanding is correct and that the only real solution (other than disabling PHP) is to wait for the next version upgrade of Apache?
Thanks
Rob
