Resolved libSPF2 Vulnerability in Plesk Servers

[enduser]

Hi all,

I received notification that my Plesk server uses an affected version of libSPF2 for email, but I can't find it by : rpm -qa|grep -i libspf2

However the test conclusively determine that my Plesk runs the vulnerable version of libSPF2 , I am not sure if Plesk is using similar technology of libspf2 or something else, so I don't know how to fix it.

Can Plesk developer and engineer take a look on it? It is quite dangerous that it can even facilitate a Remote Code Execution attack according to its description.

IMAAL

imaal.byu.edu

CentOS 7.4.1708
Plesk Obsidian Version 18.0.36
postfix-3.5.9-2.centos.7+p18.0.36.0+t210604.1022.x86_64
psa-mail-driver-common-18.0-2.centos.7+p18.0.36.0+t210604.1022.x86_64

Ming

 

[IgorG]

We are going to fix this issue in the upcoming Plesk 18.0.41 version in the scope of PPP-55058.

 

[enduser]

Great, thank you for the fix.

 

[nethubonline]

Hi,

Please kindly note that this libSPF2 Vulnerability will be most likely disclosed publicly on or before 14 Jan 2022, now Plesk still didn't release 18.0.41 yet. I afraid there is insufficient time that all Plesk users need schedule and time to arrange Plesk upgrade, hence please urge your team to release the fix ASAP in order to avoid big disaster.

Ming

 

[enduser]

Hi,

I remember that you replied the fix will be in Plesk 18.0.40, and then I saw you edited your reply to 18.0.41...now it is soon to mid-January that publishing public disclosure on the libSPF2 vulnerabilities according to IMAAL , please release the fix of the libSPF2 vulnerabilities ASAP.

The libSPF2 vulnerabilities are on all Plesk servers in the world, which could lead to a Denial of Service attack (by crashing your email server) or even facilitate a Remote Code Execution attack (where the attacker can gain remote access to read/write files and execute commands on the email server).

We are going to fix this issue in the upcoming Plesk 18.0.41 version in the scope of PPP-55058.

 

[ahoi]

Is there any chance to at least get an ETA? For us, this could be a reason to shut down all mail services of the disclosure happens before there’s a patch.

That would be a catastrophic szenario.

 

[tkalfaoglu]

Btw, don't forget to look for Log4j vulnerability on your systems too

 

[ahoi]

Plesk does not install java-based packages by default afaik.

But sure: It's important to have that nasty thing on the list ;-)

 

[tkalfaoglu]

Plesk does not install java-based packages by default afaik.

But sure: It's important to have that nasty thing on the list ;-)

Sure - but who doesn't install non-plesk stuff on their servers?

 

[ahoi]

Any news here, @IgorG ?

 

[IgorG]

Any news here, @IgorG ?

This information is still valid: #2

 

[enduser]

This information is still valid: #2

Hi IgorG,

Yes, we know this information is still valid, however when?? Time is tight, it is very soon to 15 Jan 2022, after that the vulnerability will be disclosed publicly and all the Plesk server in the world will be all vulnerable.

Secondly, you have to give some times to all Plesk server admin for deployging the update, hence please help to release the fix ASAP.

 

[ahoi]

The update has been released today (?).

 

[Kaspar]

The update has been released today (?).

The 18.0.40 Update 2, which has been released today, does not address the libspf2 issue.

 

[ahoi]

You are right. I misread the release note. It seems like the problem has not been solved. Although I saw an update regarding postfix today, which I can't find in the release notes...?

 

[IgorG]

Hi IgorG,

Yes, we know this information is still valid, however when?? Time is tight, it is very soon to 15 Jan 2022, after that the vulnerability will be disclosed publicly and all the Plesk server in the world will be all vulnerable.

Secondly, you have to give some times to all Plesk server admin for deployging the update, hence please help to release the fix ASAP.

We are going to release hotfix earlier than planned in 18.0.41.
I think it will be 18.0.40.3.

 

[nucknuck]

Any chance that a release will be available before this weekend?

 

[IgorG]

The hotfix is expected on Monday and will be applied automatically. If you are afraid of a vulnerability, then just turn off the spf check for the weekend.

 

[nucknuck]

Thank you for information, have a nice weekend!

 

[IgorG]

Fixed in 18.0.40.3:

Change Log for Plesk Obsidian

Find out about changes, additions and updates to Plesk Obsidian on an iteration to iteration basis.

docs.plesk.com