Urgent security issue in NGINX/php-fpm

Post date

October 24, 2019

Categories
Author

Jos Poortvliet

Dear system administrators,
In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you.

Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this attack. We recommend all system administrators take immediate actions:

  1. Upgrade your php packages to the latest version. A new release that fixes the issue is to be released on the 24th of October. See https://www.php.net/archive/2019.php#2019-10-24-1 Upstream php packages with the fix are:

    1. 7.1.33

    2. 7.2.24

    3. 7.3.11

  2. Update your nginx config file. We have updated the configuration in our documentation.

Since there are only two changes in the nginx configuration we highlight them here:

    location / {
                rewrite ^ /index.php$request_uri;
            }
        

Should become

    location / {
                rewrite ^ /index.php;
            }
        

Note the removal of $request_uri

And

     location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                # Avoid sending the security headers twice
                fastcgi_param modHeadersAvailable true;
                # Enable pretty urls
                fastcgi_param front_controller_active true;
                fastcgi_pass php-handler;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
            }
        

Should become:

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                try_files $fastcgi_script_name =404;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                # Avoid sending the security headers twice
                fastcgi_param modHeadersAvailable true;
                # Enable pretty urls
                fastcgi_param front_controller_active true;
                fastcgi_pass php-handler;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
            }
        

Note the addition of the $try_files $fastcgi_script_name =404;

Then restart your webserver and the issue is mitigated. See our full documentation here.

If you are running the docker containers from https://hub.docker.com/_/nextcloud those will also receive updates with new php-fpm versions when available.

If you are a Nextcloud customer, you should already have been notified of this issue. If you need any assistance, contact our support team through our portal.

Start the discussion at the
Nextcloud forums

Go to Forums