Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

OptionsBleed CVE-2017-9798

Discussion in 'EasyApache' started by cPJacob, Sep 19, 2017.

  1. JacobPerkins

    JacobPerkins Well-Known Member

    Joined:
    May 2, 2014
    Messages:
    619
    Likes Received:
    96
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Greetings,

    There was a pretty severe CVE released yesterday that pertains to the Apache httpd project. cPanel is preparing to release updates today to address these CVE's in both EasyApache 3 (Apache 2.2 and 2.4) and EasyApache 4 (Apache 2.4).

    Note, there will be some mild side effects from securing this vulnerability. If a user is attempting to register a new method via their .htaccess file, this will now fail, and they will receive errors such as:
    Code:
    /home/user/public_html/.htaccess: Could not register method 'abcxyz' for <Limit from .htaccess configuration
    These methods should instead be loaded inside httpd.conf, via custom user includes for that user.

    Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation

    I'll update this thread once we've released the updates.
     
    Sametto Chan and Infopro like this.
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,344
    Likes Received:
    58
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Jacob,

    Can you give a better example of what you mean by "register a method" ? Can you give an example of an .htaccess file that would be problematic? I would like to be able to wrap my head about what could be wrong, and when, and for whom. Without knowing more, it sounds like something that would rarely be a problem because a typical user wouldn't be "registering a new method". But since I really don't know what that means, I can't determine if it would be a rare occurrence or not. Just trying to understand if this is going to be a support nightmare or just a very rare inconvenience for a web host.

    Thanks

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. JacobPerkins

    JacobPerkins Well-Known Member

    Joined:
    May 2, 2014
    Messages:
    619
    Likes Received:
    96
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi Mike,

    So, a legit method call would be something like:
    Code:
    <Limit GET POST> 
    order deny,allow 
    deny from all 
    allow from all 
    </Limit> 
    <Limit PUT DELETE> 
    order deny,allow 
    deny from all 
    </Limit>
    
    
    These METHODS already exist in the global namespace of Apache (GET, POST, PUT, DELETE).

    Let's say a user was trying something funky, they might put:
    Code:
    <Limit abczsdf> 
    allow from all 
    </Limit> 
    
    Since the method 'abczsdf' does not exist already in the global, Apache will now throw an error because it's no longer allowed to create those methods.

    I hope this helps!
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,344
    Likes Received:
    58
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Jacob,

    Thank you -- perfect eplanation. I think I'm safe -- and probably most are. I know none of my people would be trying to create methods that didn't already exist.

    I appreciate your response!

    Mike
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. JacobPerkins

    JacobPerkins Well-Known Member

    Joined:
    May 2, 2014
    Messages:
    619
    Likes Received:
    96
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    We have released updates to both EA3 and EA4 to patch this CVE. Please update your systems.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,827
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello,

    As mentioned in the previous post, patches are now available for both EasyApache 3 and EasyApache 4.

    For systems using EasyApache 4, you can update Apache by selecting Run System Update in the EasyApache 4 interface (WHM Home >> Software >> EasyApache 4) or via the command line with the "yum update" command.

    Documentation: How to update Apache with EasyApache 4

    Here is the corresponding entry in the EasyApache 4 change log:

    For systems using EasyApache 3, you can update Apache by browsing to "WHM Home >> Software >> EasyApache 3", or by using the /scripts/easyapache command.

    Documentation: How to update Apache with EasyApache 3

    Here is the corresponding entry in the EasyApache 3 change log as part of EasyApache 3.34.17:

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    Sametto Chan likes this.
  7. Samet Chan

    Samet Chan Well-Known Member

    Joined:
    Jun 24, 2016
    Messages:
    351
    Likes Received:
    31
    Trophy Points:
    103
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just updated, but said nothing,

    My WHM current version: v66.0.23
     
  8. JacobPerkins

    JacobPerkins Well-Known Member

    Joined:
    May 2, 2014
    Messages:
    619
    Likes Received:
    96
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    Can you run the following?

    Code:
    rpm -qa | grep ea-apache24-2.4.
    If you're running 'ea-apache24-2.4.27-7.8.1', you have the update. If not, you may need to do a
    Code:
    yum clean all ; yum update
     
  9. Samet Chan

    Samet Chan Well-Known Member

    Joined:
    Jun 24, 2016
    Messages:
    351
    Likes Received:
    31
    Trophy Points:
    103
    cPanel Access Level:
    Root Administrator
    Twitter:
    Code:
    ea-apache24-2.4.27-8.8.1.cpanel.x86_64
    
     
  10. JacobPerkins

    JacobPerkins Well-Known Member

    Joined:
    May 2, 2014
    Messages:
    619
    Likes Received:
    96
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    You have the update already :)
     
    Sametto Chan likes this.
  11. Samet Chan

    Samet Chan Well-Known Member

    Joined:
    Jun 24, 2016
    Messages:
    351
    Likes Received:
    31
    Trophy Points:
    103
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sounds good. It is safe now.

    Thanks for the info! :P
     
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice