Urgent security issue in NGINX/php-fpm

Data dell'articolo

24 Ottobre 2019

Categorie
Autore

Jos Poortvliet

Dear system administrators,
In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you.

Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this attack. We recommend all system administrators take immediate actions:

  1. Upgrade your php packages to the latest version. A new release that fixes the issue is to be released on the 24th of October. See https://www.php.net/archive/2019.php#2019-10-24-1 Upstream php packages with the fix are:

    1. 7.1.33

    2. 7.2.24

    3. 7.3.11

  2. Update your nginx config file. We have updated the configuration in our documentation.

Since there are only two changes in the nginx configuration we highlight them here:

    location / {
                rewrite ^ /index.php$request_uri;
            }

Should become

    location / {
                rewrite ^ /index.php;
            }

Note the removal of $request_uri

And

     location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                # Avoid sending the security headers twice
                fastcgi_param modHeadersAvailable true;
                # Enable pretty urls
                fastcgi_param front_controller_active true;
                fastcgi_pass php-handler;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
            }

Should become:

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
                fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
                try_files $fastcgi_script_name =404;
                include fastcgi_params;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_param PATH_INFO $path_info;
                fastcgi_param HTTPS on;
                # Avoid sending the security headers twice
                fastcgi_param modHeadersAvailable true;
                # Enable pretty urls
                fastcgi_param front_controller_active true;
                fastcgi_pass php-handler;
                fastcgi_intercept_errors on;
                fastcgi_request_buffering off;
            }

Note the addition of the $try_files $fastcgi_script_name =404;

Then restart your webserver and the issue is mitigated. See our full documentation here.

If you are running the docker containers from https://hub.docker.com/_/nextcloud those will also receive updates with new php-fpm versions when available.

If you are a Nextcloud customer, you should already have been notified of this issue. If you need any assistance, contact our support team through our portal.

Altri post

Minor Nextcloud updates released

November maintenance updates for Nextcloud Hub 7, 8 and 9

Maintenance updates 28.0.12, 29.0.9 and 30.0.2 for Nextcloud Hub 7, 8 and 9 respectively are here! Read an update summary and access full changelog on the website.

Per saperne di più
Minor Nextcloud updates released

October maintenance updates for Nextcloud Hub 7 and 8

Maintenance updates 28.0.11 and 29.0.8 for Nextcloud Hub 7 and 8 respectively are here! Read an update summary and access full changelog on the website.

Per saperne di più
Minor Nextcloud updates released

New maintenance update for Nextcloud Hub 8 is available

Maintenance update 29.0.6 for Nextcloud Hub 8 is here! Read an update summary here and access full changelog on the website.

Per saperne di più