• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

Plesk + nginx + CentOS 5 = vulnerable to CVE-2014-0224

HostaHost

Regular Pleskian
Version: 11.5.30 CentOS 5 115140407.17

On CentOS 5 only, nginx is statically compiled by Parallels against a vulnerable version of OpenSSL:

# strings /usr/sbin/nginx | grep configure

configure arguments: --prefix=/usr/share --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-ipv6 --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --with-openssl=/home/builder/buildbot/nginx-1.5.0-bcos5/build/nginx/work/openssl-0.9.8y --with-openssl-opt='enable-tlsext zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-shared -fpic'

The OpenSSL team states "OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za." even though there has not yet been a demonstratable exploit if the server side (nginx being a server in this case) is not version 1.0.1 or 1.0.2-beta1. Parallels support and security team have rejected the OpenSSL team's recommendation and do not consider this an issue because no one has produced an exploit yet where the server is using 0.9.8, so they refused to either update nginx or release a dynamically linked version like what they do for the CentOS 6 version.

So... if you'd like to wait for an exploit to occur, you're in good hands with Parallels.

Oh yeah, you're also going to fail PCI scans because of this.
 
Last edited:
Anyone experiencing this can just stop nginx and let apache handle the requests until Parallels fixes it.
 
OpenSSL statement is:

https://www.openssl.org/news/secadv_20140605.txt

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.

It means not “exploit is not known”, but “corresponding vulnerability is not found” in 0.9.8.
 
0.9.8 wasn't reported as vulnerable, so no real risk
But in 12.0 newer openssl version is included any way ("as a precaution" :) ) - so that shall help with PCI scan problem
 
https://www.openssl.org/news/secadv_20140605.txt states "OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za."

OpenSSL Team says it should be upgraded even if being used as a server. Plesk Service Team disagrees. That's all there is to this story.

Why is it being statically linked to begin with? The nginx release for CentOS 6 in Plesk is dynamically linked, so when RedHat released a patch, we had the fix immediately, we didn't have to wait weeks or months for Parallels to get around to it.
 
Back
Top