• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Question Apache FilesMatch directive vulnerability in CentOS 7....

R

Rob Taylor

Basic Pleskian
Hi All

This is not strictly Plesk related but I imagine it affects any Plesk server running on CentOS so really just looking for someone to confirm my understanding of it.

I am running Plesk 17.5.3 Update #54 on CentOS 7.5.1804, with Apache / HTTPD 2.4.6-80.el7 (latest from repo).

We have recently ran some security scanning software against our Plesk servers, one of the issues highlighted was for CVE-2017-15715 which relates to a vulnerability with the Apache 'FilesMatch' directive and new lines, info can be found here:

CVE-2017-15715 - Red Hat Customer Portal

Redhat (therefore CentOS) say that by default the 'FilesMatch' directive is not enabled so if my understanding is correct they have not backported the patch released in the upstream version of Apache 2.4.33 to the CentOS Repo version.

Plesk (I think or maybe just the default Apache / PHP installation) uses the 'FileMatch' directive to set the PHP handler in /etc/httpd/conf.d/php.conf.

So essentially, the current version of Plesk on the current version of CentOS 7 is vulnerable to this and there is no immediate / practical fix or workaround but to exploit you would require access to create / rename files.

Can someone just confirm my understanding is correct and that the only real solution (other than disabling PHP) is to wait for the next version upgrade of Apache?

Thanks
Rob
 
Actually, it is not Plesk related issue. The last OSes we shipped Apache with were CentOS/Cloudlinux 5 which is not supported already.
RedHat Enterprise Linux 5 is still supported but we do not ship apache for this OS.
Moreover, we have never ship Apache 2.4 with Plesk. Only Apache 2.2.
So, it is OS vendor related issue.
 
You must log in or register to reply here.

Similar threads

S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
2K
NewGate
N
Daerik
Issue Error Upgrading Plesk Obsidian 18.0.63 to 18.0.64: HTTPS Error 404 - Not Found (MaxScale Repo)
Replies
6
Views
2K
Daerik
Daerik
C
Issue Apache mod_substitute & mod_proxy_html not doing anything, using mod_proxy
Replies
1
Views
757
ConquerThis
C
T
ISSUE - Nginx config generation failure and http2 directive implementation failure
Replies
14
Views
4K
Bitpalast
Bitpalast
H
Question Best Practice for Upgrading OpenSSL on CentOS 7.9 - Obsidian v18.0.54
Replies
2
Views
14K
IAR
IAR
Back
Top