Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

OptionsBleed CVE-2017-9798

Discussion in 'EasyApache' started by cPJacob, Sep 19, 2017.

  1. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    604
    Likes Received:
    94
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Greetings,

    There was a pretty severe CVE released yesterday that pertains to the Apache httpd project. cPanel is preparing to release updates today to address these CVE's in both EasyApache 3 (Apache 2.2 and 2.4) and EasyApache 4 (Apache 2.4).

    Note, there will be some mild side effects from securing this vulnerability. If a user is attempting to register a new method via their .htaccess file, this will now fail, and they will receive errors such as:
    Code:
    /home/user/public_html/.htaccess: Could not register method 'abcxyz' for <Limit from .htaccess configuration
    These methods should instead be loaded inside httpd.conf, via custom user includes for that user.

    Modify Apache Virtual Hosts with Include Files - EasyApache 4 - cPanel Documentation

    I'll update this thread once we've released the updates.
     
    Sametto Chan and Infopro like this.
  2. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,304
    Likes Received:
    42
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Jacob,

    Can you give a better example of what you mean by "register a method" ? Can you give an example of an .htaccess file that would be problematic? I would like to be able to wrap my head about what could be wrong, and when, and for whom. Without knowing more, it sounds like something that would rarely be a problem because a typical user wouldn't be "registering a new method". But since I really don't know what that means, I can't determine if it would be a rare occurrence or not. Just trying to understand if this is going to be a support nightmare or just a very rare inconvenience for a web host.

    Thanks

    Mike
     
  3. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    604
    Likes Received:
    94
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi Mike,

    So, a legit method call would be something like:
    Code:
    <Limit GET POST> 
    order deny,allow 
    deny from all 
    allow from all 
    </Limit> 
    <Limit PUT DELETE> 
    order deny,allow 
    deny from all 
    </Limit>
    
    
    These METHODS already exist in the global namespace of Apache (GET, POST, PUT, DELETE).

    Let's say a user was trying something funky, they might put:
    Code:
    <Limit abczsdf> 
    allow from all 
    </Limit> 
    
    Since the method 'abczsdf' does not exist already in the global, Apache will now throw an error because it's no longer allowed to create those methods.

    I hope this helps!
     
  4. mtindor

    mtindor Well-Known Member

    Joined:
    Sep 14, 2004
    Messages:
    1,304
    Likes Received:
    42
    Trophy Points:
    178
    Location:
    inside a catfish
    cPanel Access Level:
    Root Administrator
    Jacob,

    Thank you -- perfect eplanation. I think I'm safe -- and probably most are. I know none of my people would be trying to create methods that didn't already exist.

    I appreciate your response!

    Mike
     
  5. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    604
    Likes Received:
    94
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    We have released updates to both EA3 and EA4 to patch this CVE. Please update your systems.
     
  6. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    38,658
    Likes Received:
    1,424
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    As mentioned in the previous post, patches are now available for both EasyApache 3 and EasyApache 4.

    For systems using EasyApache 4, you can update Apache by selecting Run System Update in the EasyApache 4 interface (WHM Home >> Software >> EasyApache 4) or via the command line with the "yum update" command.

    Documentation: How to update Apache with EasyApache 4

    Here is the corresponding entry in the EasyApache 4 change log:

    For systems using EasyApache 3, you can update Apache by browsing to "WHM Home >> Software >> EasyApache 3", or by using the /scripts/easyapache command.

    Documentation: How to update Apache with EasyApache 3

    Here is the corresponding entry in the EasyApache 3 change log as part of EasyApache 3.34.17:

    Thank you.
     
    Sametto Chan likes this.
  7. Sametto Chan

    Sametto Chan Well-Known Member

    Joined:
    Jun 24, 2016
    Messages:
    254
    Likes Received:
    24
    Trophy Points:
    93
    cPanel Access Level:
    Root Administrator
    Twitter:
    Just updated, but said nothing,

    My WHM current version: v66.0.23
     
  8. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    604
    Likes Received:
    94
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    Can you run the following?

    Code:
    rpm -qa | grep ea-apache24-2.4.
    If you're running 'ea-apache24-2.4.27-7.8.1', you have the update. If not, you may need to do a
    Code:
    yum clean all ; yum update
     
  9. Sametto Chan

    Sametto Chan Well-Known Member

    Joined:
    Jun 24, 2016
    Messages:
    254
    Likes Received:
    24
    Trophy Points:
    93
    cPanel Access Level:
    Root Administrator
    Twitter:
    Code:
    ea-apache24-2.4.27-8.8.1.cpanel.x86_64
    
     
  10. cPJacob

    cPJacob cPanel Product Owner
    Staff Member

    Joined:
    May 2, 2014
    Messages:
    604
    Likes Received:
    94
    Trophy Points:
    103
    cPanel Access Level:
    DataCenter Provider
    Twitter:
    Hi,

    You have the update already :)
     
    Sametto Chan likes this.
  11. Sametto Chan

    Sametto Chan Well-Known Member

    Joined:
    Jun 24, 2016
    Messages:
    254
    Likes Received:
    24
    Trophy Points:
    93
    cPanel Access Level:
    Root Administrator
    Twitter:
    Sounds good. It is safe now.

    Thanks for the info! :P
     
Loading...

Share This Page