Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

SOLVED [EA-8307] Update ea-apache24 to 2.4.39 for CVE-2019-0211

Discussion in 'EasyApache' started by Augusto Florentino, Apr 2, 2019.

  1. Augusto Florentino

    Augusto Florentino Registered

    Joined:
    Feb 5, 2019
    Messages:
    1
    Likes Received:
    1
    Trophy Points:
    3
    Location:
    Morocco
    cPanel Access Level:
    Root Administrator
    source : New Apache Web Server Bug Threatens Security of Shared Web Hosts

     
    #1 Augusto Florentino, Apr 2, 2019
    Last edited by a moderator: Apr 2, 2019
    WebJIVE likes this.
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Augusto Florentino,

    We're aware of the security report and plan to publish the patched Apache version as part of internal case EA-8307. I'll monitor the case and update this thread as soon as it's published.

    Thanks!

    Update:

    Hello Everyone,

    The updated EA4 packages were just published: EasyApache 4 Apr 3 Release

    1. You can apply the updated packages by running the following command as root:

    Code:
    yum clean all; yum update;
    2. You can verify Apache version 2.4.39 is installed by running the following command as root:

    Code:
    httpd -version
    The output should look like this:
    Code:
    # httpd -version
    Server version: Apache/2.4.39 (cPanel)
    Server built:   Apr  3 2019 14:59:13
    
    For CloudLinux customers
    CloudLinux has published updated packages to their EA4 repo:

    ea-apache24-2.4.39-1.cloudlinux major security update

    Thank you.

    Edit 1: Updated CloudLinux blog link to reflect package availability on their stable EA4 repo.
     
    #2 cPanelMichael, Apr 2, 2019
    Last edited: Apr 4, 2019
  3. WebJIVE

    WebJIVE Well-Known Member

    Joined:
    Sep 30, 2007
    Messages:
    60
    Likes Received:
    5
    Trophy Points:
    58
    Yeah, this has to get patched pretty quick.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. Domenico

    Domenico Well-Known Member

    Joined:
    Aug 14, 2001
    Messages:
    375
    Likes Received:
    9
    Trophy Points:
    318
    Is Apache (2.4.38-3.3.1.cpanel) used with current cPanel vulnerable?


    Apache HTTP 2.4.17 to 2.4.38 is vulnerable to a local root exploit when mod_prefork, mod_worker and mod_event are used:

    httpd 2.4 vulnerabilities - The Apache HTTP Server Project

    We are hearing reports of exploit(s) already being produced and strongly recommend that everyone update to Apache HTTP 2.4.39 as soon as possible - especially in shared hosting environments!

    Apache HTTP Server Project

    Apache web server bug grants root access on shared hosting environments | ZDNet
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. niceboy

    niceboy Active Member

    Joined:
    Sep 29, 2011
    Messages:
    41
    Likes Received:
    1
    Trophy Points:
    58
    cPanel Access Level:
    Root Administrator
    Do we have any updates on this? Seems to be a critical vulnerability.
     
    jpenner likes this.
  6. gPowerHost

    gPowerHost Registered

    Joined:
    Feb 22, 2017
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    How much longer will this update take? Are we talking hours or days?
     
  7. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    It's tentatively scheduled for publication later today. I'll update this thread with more information as soon as it's available.

    Thank you.
     
    Marcio Vecchi, sneader and mtindor like this.
  8. Marcio Vecchi

    Marcio Vecchi Registered

    Joined:
    Aug 8, 2016
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Piracicaba
    cPanel Access Level:
    Reseller Owner
    We are waiting for the update, because we are worried about the vulnerabilities
     
  9. sneader

    sneader Well-Known Member

    Joined:
    Aug 21, 2003
    Messages:
    1,165
    Likes Received:
    53
    Trophy Points:
    178
    Location:
    La Crosse, WI
    cPanel Access Level:
    Root Administrator
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    jamiepenner likes this.
  10. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    316
    Likes Received:
    5
    Trophy Points:
    68
    Why is this taking so long? All cPanel has to do is send the patch down from the upstream RHEL. At this point I cannot wait to see how many people are attacking cPanel servers and gaining root access. This security hole is SERIOUS and is already being exploited in the wild. Its 24 hours now and no patch available.
     
  11. Giannis

    Giannis Well-Known Member PartnerNOC

    Joined:
    Jun 22, 2005
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    156
    Just to have it handy here, if you are using CL you can update using yum update -y ea-apache24* --enablerepo=cl-ea4-testing --exclude=ea-apache24-mod_lsapi
     
  12. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    316
    Likes Received:
    5
    Trophy Points:
    68
    I have CL but I don't feel like I should be enabling a TESTING repo to get a security patch. In particular because cPanel should be sending the patch faster than CloudLinux, at least they should. I want an official release.
     
  13. vacancy

    vacancy Well-Known Member

    Joined:
    Sep 20, 2012
    Messages:
    278
    Likes Received:
    65
    Trophy Points:
    28
    cPanel Access Level:
    Root Administrator
    Updated ea files began to appear on test mirror server.

    It will start publish in a short time.
     

    Attached Files:

    • 1.png
      1.png
      File size:
      25.9 KB
      Views:
      8
  14. sparek-3

    sparek-3 Well-Known Member

    Joined:
    Aug 10, 2002
    Messages:
    1,923
    Likes Received:
    177
    Trophy Points:
    343
    cPanel Access Level:
    Root Administrator
    I have to say, it's a bit disturbing at the length of time this is taking cPanel to release a fix.

    Changes to the EA4 Apache repository for this were made yesterday, yet we still don't have any rpms out to the mirrors.

    But anybody using CloudLinux will have to defer to CloudLinux on this. If you are using CloudLinux, then you are using CloudLinux packaged Apache and PHP. You're not using anything related to cPanel in regards to Apache and PHP.

    Those of us that aren't using CloudLinux have to depend on cPanel to release these updates.
     
  15. Giannis

    Giannis Well-Known Member PartnerNOC

    Joined:
    Jun 22, 2005
    Messages:
    65
    Likes Received:
    0
    Trophy Points:
    156
    It is just updating apache to 2.4.39
     
  16. FrankS

    FrankS Registered

    Joined:
    Apr 3, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Winston Salem
    cPanel Access Level:
    Root Administrator
    A update would be nice regarding this.
     
  17. DataCenterGuy

    DataCenterGuy Registered

    Joined:
    Aug 21, 2016
    Messages:
    1
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Platteville
    cPanel Access Level:
    DataCenter Provider
    Can we get a status update on the patch being published for the standard kernel? Thanks.
     
  18. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,555
    Likes Received:
    2,182
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello Everyone,

    We're aiming to publish the updated packages today, pending successful build quality tests. I don't have a specific time frame to provide, but I'll update this thread as soon as the new packages are published.

    Thank you.
     
  19. FrankS

    FrankS Registered

    Joined:
    Apr 3, 2019
    Messages:
    3
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Winston Salem
    cPanel Access Level:
    Root Administrator
    I would suggest putting the packages on a beta/experimental repository as they are now. The exploit is rather severe and the only mitigation that I could think of doing is to disable user FTP access and a few other features. It doesn't exactly exclusively mitigate the issue, but it will definitely add a line of defense to the situation.
     
  20. nibb

    nibb Well-Known Member

    Joined:
    Mar 22, 2008
    Messages:
    316
    Likes Received:
    5
    Trophy Points:
    68
    I don't think quality is a concern right now for most users. Those that are updating today are pending over this thread already or checking their servers all the time, those that don't they are not even aware the issue exists. I would rather have a temporary buggy web server, than a root hacked server that makes you lose customers and having to rebuild everything from scratch. Giving this is being exploited as we speak security should trump quality testing right now.
     
    sparek-3 and FrankS like this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice