• Our team is looking to connect with folks who use email services provided by Plesk, or a premium service. If you'd like to be part of the discovery process and share your experiences, we invite you to complete this short screening survey. If your responses match the persona we are looking for, you'll receive a link to schedule a call at your convenience. We look forward to hearing from you!
  • We are looking for U.S.-based freelancer or agency working with SEO or WordPress for a quick 30-min interviews to gather feedback on XOVI, a successful German SEO tool we’re looking to launch in the U.S.
    If you qualify and participate, you’ll receive a $30 Amazon gift card as a thank-you. Please apply here. Thanks for helping shape a better SEO product for agencies!
  • The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Plesk + nginx + CentOS 5 = vulnerable to CVE-2014-0224

H

HostaHost

Regular Pleskian
Version: 11.5.30 CentOS 5 115140407.17

On CentOS 5 only, nginx is statically compiled by Parallels against a vulnerable version of OpenSSL:

# strings /usr/sbin/nginx | grep configure

configure arguments: --prefix=/usr/share --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --lock-path=/var/lock/nginx.lock --pid-path=/var/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --user=nginx --group=nginx --with-ipv6 --with-file-aio --with-http_ssl_module --with-http_realip_module --with-http_sub_module --with-http_dav_module --with-http_gzip_static_module --with-http_stub_status_module --with-openssl=/home/builder/buildbot/nginx-1.5.0-bcos5/build/nginx/work/openssl-0.9.8y --with-openssl-opt='enable-tlsext zlib no-idea no-mdc2 no-rc5 no-ec no-ecdh no-ecdsa no-shared -fpic'

The OpenSSL team states "OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za." even though there has not yet been a demonstratable exploit if the server side (nginx being a server in this case) is not version 1.0.1 or 1.0.2-beta1. Parallels support and security team have rejected the OpenSSL team's recommendation and do not consider this an issue because no one has produced an exploit yet where the server is using 0.9.8, so they refused to either update nginx or release a dynamically linked version like what they do for the CentOS 6 version.

So... if you'd like to wait for an exploit to occur, you're in good hands with Parallels.

Oh yeah, you're also going to fail PCI scans because of this.
 
Last edited:
Anyone experiencing this can just stop nginx and let apache handle the requests until Parallels fixes it.
 
OpenSSL statement is:

https://www.openssl.org/news/secadv_20140605.txt

The attack can only be performed between a vulnerable client *and* server. OpenSSL clients are vulnerable in all versions of OpenSSL. Servers are only known to be vulnerable in OpenSSL 1.0.1 and 1.0.2-beta1. Users of OpenSSL servers earlier than 1.0.1 are advised to upgrade as a precaution.
Click to expand...

It means not “exploit is not known”, but “corresponding vulnerability is not found” in 0.9.8.
 
0.9.8 wasn't reported as vulnerable, so no real risk
But in 12.0 newer openssl version is included any way ("as a precaution" :) ) - so that shall help with PCI scan problem
 
https://www.openssl.org/news/secadv_20140605.txt states "OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za."

OpenSSL Team says it should be upgraded even if being used as a server. Plesk Service Team disagrees. That's all there is to this story.

Why is it being statically linked to begin with? The nginx release for CentOS 6 in Plesk is dynamically linked, so when RedHat released a patch, we had the fix immediately, we didn't have to wait weeks or months for Parallels to get around to it.
 
You must log in or register to reply here.

Similar threads

S
Apache does not apply .htaccess directives for certain files after migration through Plesk Migrator
Replies
2
Views
3K
NewGate
N
J
Resolved Can't login at Plesk admin panel (Plesk Onyx 17.0.17)
Replies
6
Views
10K
JVG
J
D
Issue Error installing mailman3
Replies
0
Views
1K
DBardaji
D
I
Issue maria DB update plesk 18.0.50
Replies
10
Views
5K
Maarten
M
T
Resolved SECURITY - attack surface : ports 7080 and 7081
2
Replies
30
Views
22K
2dareis2do
2
Back
Top