Urgent security issue in NGINX/php-fpm

Hi @Nemskiller

You can follow the steps from this answer:

Just replace every 7.2 with 7.3 in his answer.

He stated that as an update in his answer as well:

Update:

Yesterday, I’ve used the above set of commands to install PHP 7.3 on Ubuntu 16.04 and everything went completely fine. Just replace 7.2 with 7.3 within these commands - the entire process took about 7 minutes.

7.3.11 packages are not yet released on https://launchpad.net/%7Eondrej/+archive/ubuntu/php/+index?batch=75&memo=150&start=150 .

I am sure it will come soon.

1 Like

@system And the workaround is sufficient and reliable?

The last comment from the bug report reads:

A method to quick fix this problem.
If you want to use PATH_INFO in php, and do not want to patch and recompile PHP.

Add this line before ALL YOUR “location ~ .php(/|$) {” LINES in nginx confs:

rewrite ^(.*?)\n $1;  #Fix CVE-2019-11043 (THIS LINE!!!)
location ~ \.php(/|$) {
  ...
  fastcgi_split_path_info ^((?U).+\.php)(/?.+)$;
  ...

That will truncate PATH_INFO after “\n” while URL contains “%0a”.

(https://bugs.php.net/bug.php?id=78599)

Is this something which should be added as well?

@system I noticed that try_files was included, while further down the config we still set PATHINFO. Doesn’t that cause issues? Due to a bug try_files resets $fastcgi_path_info…
http://trac.nginx.org/nginx/ticket/321

1 Like

On Arch, those directives are

SCRIPT_FILENAME and PATH_INFO (notice the _ between the words). Got bit once again and spent some time thinking my server was borked. Hope it helps someone else.

3 Likes

To whom it may concern.

I appreciate such urgent info and the resp. Nextcloud announcement. However, for the convenience of administrators and other interested parties one may add several links such as:

Beispielhaft sei noch der Artikel Debian und CVE-Kompatibilität für deutschsprachige Personen erwähnt. - English: Debian and CVE compatibility

:innocent:

1 Like
php7.3-fpm:
  Installed: 7.3.11-1+ubuntu18.04.1+deb.sury.org+1
  Candidate: 7.3.11-1+ubuntu18.04.1+deb.sury.org+1
  Version table:
 *** 7.3.11-1+ubuntu18.04.1+deb.sury.org+1 500
        500 http://ppa.launchpad.net/ondrej/php/ubuntu bionic/main amd64 Packages
        100 /var/lib/dpkg/status
1 Like

I got hit by this also, I’m not sure whether SCRIPTFILENAME and PATHINFO are valid anywhere?

I think it might just be a mistake in the blog post?

e.g. https://docs.nextcloud.com/server/17/admin_manual/installation/nginx.html?highlight=nginx has underscores.

1 Like

I think this kind of news should be sticky at least few days. Can you do it? @system

What about Nextcloud installed via Ubuntu snaps?
Did it got all required updates to its nginx automatically?

3 Likes

Here’s more updates since this news thread was opened.

1 Like

I run a fully-refreshed snap on Ubuntu 16.04. Version information is installed: 16.0.5snap2 (16402) 228MB and I do not see nginx running at all. That leads me to believe the version of php-fpm (which is installed) is not a problem.

Services from nextcloud snap:

$ sudo snap services nextcloud
Service                    Startup  Current   Notes
nextcloud.apache           enabled  active    -
nextcloud.mdns-publisher   enabled  active    -
nextcloud.mysql            enabled  active    -
nextcloud.nextcloud-cron   enabled  active    -
nextcloud.nextcloud-fixer  enabled  inactive  -
nextcloud.php-fpm          enabled  active    -
nextcloud.redis-server     enabled  active    -
nextcloud.renew-certs      enabled  active    -
1 Like

Nextcloud-Snap comes with Apache and not with nginx, so you should be safe:

1 Like

I’m just wondering (but could be an idiotic thought): are users really safe just because they run apache? I mean, the bug was actually in PHP (not nginx) in combination with php-fpm. Doesn’t apache use php-fpm as well?

As said, just wondering. Could be a totally mislead thought.

1 Like

WARNING to everybody with nginx version: nginx/1.10.3 (Debian stretch latest)

The directive or cgi_parameter SCRIPTFILENAME will render your nextcloud website blank.
change it to SCRIPT_FILENAME

4 Likes

Are both “Immediate actions” required to be secure? My upstream distribution does not have updated packages available currently.

I am relying on this statement from the initial post:

1 Like

Is Nginx (under Plesk) with the directives set from this guide affected?

I corrected the article now regarding SCRIPTFILENAME vs. SCRIPT_FILENAME and PATHINFO vs. PATH_INFO. Also I pinned it globally.

1 Like