• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.

Resolved libSPF2 Vulnerability in Plesk Servers

enduser

Basic Pleskian
Hi all,

I received notification that my Plesk server uses an affected version of libSPF2 for email, but I can't find it by : rpm -qa|grep -i libspf2

However the test conclusively determine that my Plesk runs the vulnerable version of libSPF2 , I am not sure if Plesk is using similar technology of libspf2 or something else, so I don't know how to fix it.

Can Plesk developer and engineer take a look on it? It is quite dangerous that it can even facilitate a Remote Code Execution attack according to its description.


CentOS 7.4.1708
Plesk Obsidian Version 18.0.36
postfix-3.5.9-2.centos.7+p18.0.36.0+t210604.1022.x86_64
psa-mail-driver-common-18.0-2.centos.7+p18.0.36.0+t210604.1022.x86_64

Ming
 
We are going to fix this issue in the upcoming Plesk 18.0.41 version in the scope of PPP-55058.
 
Last edited:
  • Sad
Reactions: mow
Hi,

Please kindly note that this libSPF2 Vulnerability will be most likely disclosed publicly on or before 14 Jan 2022, now Plesk still didn't release 18.0.41 yet. I afraid there is insufficient time that all Plesk users need schedule and time to arrange Plesk upgrade, hence please urge your team to release the fix ASAP in order to avoid big disaster.

Ming
 
  • Like
Reactions: mow
Hi,

I remember that you replied the fix will be in Plesk 18.0.40, and then I saw you edited your reply to 18.0.41...now it is soon to mid-January that publishing public disclosure on the libSPF2 vulnerabilities according to IMAAL , please release the fix of the libSPF2 vulnerabilities ASAP.

The libSPF2 vulnerabilities are on all Plesk servers in the world, which could lead to a Denial of Service attack (by crashing your email server) or even facilitate a Remote Code Execution attack (where the attacker can gain remote access to read/write files and execute commands on the email server).

We are going to fix this issue in the upcoming Plesk 18.0.41 version in the scope of PPP-55058.
 
  • Like
Reactions: mow
Is there any chance to at least get an ETA? For us, this could be a reason to shut down all mail services of the disclosure happens before there’s a patch.

That would be a catastrophic szenario.
 
Plesk does not install java-based packages by default afaik.

But sure: It's important to have that nasty thing on the list ;-)
 
This information is still valid: #2

Hi IgorG,

Yes, we know this information is still valid, however when?? Time is tight, it is very soon to 15 Jan 2022, after that the vulnerability will be disclosed publicly and all the Plesk server in the world will be all vulnerable.

Secondly, you have to give some times to all Plesk server admin for deployging the update, hence please help to release the fix ASAP.
 
You are right. I misread the release note. It seems like the problem has not been solved. Although I saw an update regarding postfix today, which I can't find in the release notes...?
 
Hi IgorG,

Yes, we know this information is still valid, however when?? Time is tight, it is very soon to 15 Jan 2022, after that the vulnerability will be disclosed publicly and all the Plesk server in the world will be all vulnerable.

Secondly, you have to give some times to all Plesk server admin for deployging the update, hence please help to release the fix ASAP.
We are going to release hotfix earlier than planned in 18.0.41.
I think it will be 18.0.40.3.
 
The hotfix is expected on Monday and will be applied automatically. If you are afraid of a vulnerability, then just turn off the spf check for the weekend.
 
Back
Top