{"id":6881,"date":"2019-10-24T14:05:55","date_gmt":"2019-10-24T14:05:55","guid":{"rendered":"https:\/\/nextcloud.com\/?p=6881"},"modified":"2019-10-24T14:05:55","modified_gmt":"2019-10-24T14:05:55","slug":"urgent-security-issue-in-nginx-php-fpm","status":"publish","type":"post","link":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/","title":{"rendered":"Urgent security issue in NGINX\/php-fpm"},"content":{"rendered":"

Dear system administrators,
\nIn the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you.<\/p>\n

Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this attack. We recommend all system administrators take immediate actions:<\/p>\n

    \n
  1. \n

    Upgrade your php packages to the latest version. A new release that fixes the issue is to be released on the 24th of October. See https:\/\/www.php.net\/archive\/2019.php#2019-10-24-1<\/a> Upstream php packages with the fix are:<\/p>\n

      \n
    1. \n

      7.1.33<\/p>\n<\/li>\n

    2. \n

      7.2.24<\/p>\n<\/li>\n

    3. \n

      7.3.11<\/p>\n<\/li>\n<\/ol>\n<\/li>\n

    4. \n

      Update your nginx config file. We have updated the configuration in our documentation.<\/p>\n<\/li>\n<\/ol>\n

      Since there are only two changes in the nginx configuration we highlight them here:<\/p>\n

          location \/ {\n                rewrite ^ \/index.php$request_uri;\n            }\n        <\/code><\/pre>\n
      Should become<\/p>\n
          location \/ {\n                rewrite ^ \/index.php;\n            }\n        <\/code><\/pre>\n
      Note the removal of $request_uri<\/code><\/strong><\/p>\n
      And<\/p>\n
           location ~ ^\\\/(?:index|remote|public|cron|core\\\/ajax\\\/update|status|ocs\\\/v[12]|updater\\\/.+|oc[ms]-provider\\\/.+)\\.php(?:$|\\\/) {\n                fastcgi_split_path_info ^(.+?\\.php)(\\\/.*|)$;\n                include fastcgi_params;\n                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\n                fastcgi_param PATH_INFO $path_info;\n                fastcgi_param HTTPS on;\n                # Avoid sending the security headers twice\n                fastcgi_param modHeadersAvailable true;\n                # Enable pretty urls\n                fastcgi_param front_controller_active true;\n                fastcgi_pass php-handler;\n                fastcgi_intercept_errors on;\n                fastcgi_request_buffering off;\n            }\n        <\/code><\/pre>\n
      Should become:<\/p>\n
          location ~ ^\\\/(?:index|remote|public|cron|core\\\/ajax\\\/update|status|ocs\\\/v[12]|updater\\\/.+|oc[ms]-provider\\\/.+)\\.php(?:$|\\\/) {\n                fastcgi_split_path_info ^(.+?\\.php)(\\\/.*|)$;\n                try_files $fastcgi_script_name =404;\n                include fastcgi_params;\n                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;\n                fastcgi_param PATH_INFO $path_info;\n                fastcgi_param HTTPS on;\n                # Avoid sending the security headers twice\n                fastcgi_param modHeadersAvailable true;\n                # Enable pretty urls\n                fastcgi_param front_controller_active true;\n                fastcgi_pass php-handler;\n                fastcgi_intercept_errors on;\n                fastcgi_request_buffering off;\n            }\n        <\/code><\/pre>\n
      Note the addition of the $try_files $fastcgi_script_name =404;<\/code><\/strong><\/p>\n
      Then restart your webserver and the issue is mitigated. See our full documentation here<\/a>.<\/p>\n
      If you are running the docker containers from https:\/\/hub.docker.com\/_\/nextcloud<\/a> those will also receive updates with new php-fpm versions when available.<\/p>\n
      If you are a Nextcloud customer, you should already have been notified of this issue. If you need any assistance, contact our support team through our portal.<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
      Dear system administrators, In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you. Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this […]<\/p>\n","protected":false},"author":2,"featured_media":6882,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"publish_to_discourse":"0","publish_post_category":"22","wpdc_auto_publish_overridden":"","wpdc_topic_tags":"","wpdc_pin_topic":"","wpdc_pin_until":"","discourse_post_id":"175928","discourse_permalink":"https:\/\/help.nextcloud.com\/t\/urgent-security-issue-in-nginx-php-fpm\/62665","wpdc_publishing_response":"","wpdc_publishing_error":"","footnotes":""},"categories":[13],"tags":[],"class_list":["post-6881","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security"],"acf":[],"yoast_head":"\nUrgent security issue in NGINX\/php-fpm - Nextcloud<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/\" \/>\n<meta property=\"og:locale\" content=\"nl_NL\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Urgent security issue in NGINX\/php-fpm - Nextcloud\" \/>\n<meta property=\"og:description\" content=\"Dear system administrators, In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you. Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/\" \/>\n<meta property=\"og:site_name\" content=\"Nextcloud\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Nextclouders\/\" \/>\n<meta property=\"article:published_time\" content=\"2019-10-24T14:05:55+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/nextcloud.com\/wp-content\/uploads\/2019\/10\/gears.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1600\" \/>\n\t<meta property=\"og:image:height\" content=\"1068\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Jos Poortvliet\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@nextclouders\" \/>\n<meta name=\"twitter:site\" content=\"@nextclouders\" \/>\n<meta name=\"twitter:label1\" content=\"Geschreven door\" \/>\n\t<meta name=\"twitter:data1\" content=\"Jos Poortvliet\" \/>\n\t<meta name=\"twitter:label2\" content=\"Geschatte leestijd\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minuten\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/\"},\"author\":{\"name\":\"Jos Poortvliet\",\"@id\":\"https:\/\/nextcloud.com\/nl\/#\/schema\/person\/c3c1a52fbc1c6a2be2f1df8818daa8c2\"},\"headline\":\"Urgent security issue in NGINX\/php-fpm\",\"datePublished\":\"2019-10-24T14:05:55+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/\"},\"wordCount\":217,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/#organization\"},\"image\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg\",\"articleSection\":[\"Security\"],\"inLanguage\":\"nl-NL\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/\",\"url\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/\",\"name\":\"Urgent security issue in NGINX\/php-fpm - Nextcloud\",\"isPartOf\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg\",\"datePublished\":\"2019-10-24T14:05:55+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#breadcrumb\"},\"inLanguage\":\"nl-NL\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#primaryimage\",\"url\":\"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg\",\"contentUrl\":\"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg\",\"width\":1600,\"height\":1068},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/nextcloud.com\/nl\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Urgent security issue in NGINX\/php-fpm\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/nextcloud.com\/nl\/#website\",\"url\":\"https:\/\/nextcloud.com\/nl\/\",\"name\":\"Nextcloud\",\"description\":\"Regain control over your data\",\"publisher\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/nextcloud.com\/nl\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"nl-NL\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/nextcloud.com\/nl\/#organization\",\"name\":\"Nextcloud\",\"url\":\"https:\/\/nextcloud.com\/nl\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/nextcloud.com\/nl\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/nextcloud.com\/c\/uploads\/2022\/10\/nextcloud-logo-blue-transparent.svg\",\"contentUrl\":\"https:\/\/nextcloud.com\/c\/uploads\/2022\/10\/nextcloud-logo-blue-transparent.svg\",\"width\":\"1024\",\"height\":\"1024\",\"caption\":\"Nextcloud\"},\"image\":{\"@id\":\"https:\/\/nextcloud.com\/nl\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/Nextclouders\/\",\"https:\/\/x.com\/nextclouders\",\"https:\/\/www.linkedin.com\/company\/10827569\/\",\"https:\/\/youtube.com\/nextcloud\",\"https:\/\/www.instagram.com\/nextclouders\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/nextcloud.com\/nl\/#\/schema\/person\/c3c1a52fbc1c6a2be2f1df8818daa8c2\",\"name\":\"Jos Poortvliet\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"nl-NL\",\"@id\":\"https:\/\/nextcloud.com\/nl\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/1c6de64891ee8c4902e1ac198f26ea5fb202d8bbaa7bce35b6a184610bbe4a3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/1c6de64891ee8c4902e1ac198f26ea5fb202d8bbaa7bce35b6a184610bbe4a3d?s=96&d=mm&r=g\",\"caption\":\"Jos Poortvliet\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Urgent security issue in NGINX\/php-fpm - Nextcloud","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/","og_locale":"nl_NL","og_type":"article","og_title":"Urgent security issue in NGINX\/php-fpm - Nextcloud","og_description":"Dear system administrators, In the last 24 hours, a new security risk has emerged around NGINX, documented in CVE-2019-11043. This exploit allows for remote code execution on some NGINX and php-fpm configurations. If you do not run NGINX, this exploit does not effect you. Unfortunately the default Nextcloud NGINX configuration is also vulnerable to this […]","og_url":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/","og_site_name":"Nextcloud","article_publisher":"https:\/\/www.facebook.com\/Nextclouders\/","article_published_time":"2019-10-24T14:05:55+00:00","og_image":[{"width":1600,"height":1068,"url":"https:\/\/nextcloud.com\/wp-content\/uploads\/2019\/10\/gears.jpg","type":"image\/jpeg"}],"author":"Jos Poortvliet","twitter_card":"summary_large_image","twitter_creator":"@nextclouders","twitter_site":"@nextclouders","twitter_misc":{"Geschreven door":"Jos Poortvliet","Geschatte leestijd":"2 minuten"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#article","isPartOf":{"@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/"},"author":{"name":"Jos Poortvliet","@id":"https:\/\/nextcloud.com\/nl\/#\/schema\/person\/c3c1a52fbc1c6a2be2f1df8818daa8c2"},"headline":"Urgent security issue in NGINX\/php-fpm","datePublished":"2019-10-24T14:05:55+00:00","mainEntityOfPage":{"@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/"},"wordCount":217,"commentCount":0,"publisher":{"@id":"https:\/\/nextcloud.com\/nl\/#organization"},"image":{"@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#primaryimage"},"thumbnailUrl":"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg","articleSection":["Security"],"inLanguage":"nl-NL","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/","url":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/","name":"Urgent security issue in NGINX\/php-fpm - Nextcloud","isPartOf":{"@id":"https:\/\/nextcloud.com\/nl\/#website"},"primaryImageOfPage":{"@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#primaryimage"},"image":{"@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#primaryimage"},"thumbnailUrl":"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg","datePublished":"2019-10-24T14:05:55+00:00","breadcrumb":{"@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#breadcrumb"},"inLanguage":"nl-NL","potentialAction":[{"@type":"ReadAction","target":["https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/"]}]},{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#primaryimage","url":"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg","contentUrl":"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg","width":1600,"height":1068},{"@type":"BreadcrumbList","@id":"https:\/\/nextcloud.com\/nl\/blog\/urgent-security-issue-in-nginx-php-fpm\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/nextcloud.com\/nl\/"},{"@type":"ListItem","position":2,"name":"Urgent security issue in NGINX\/php-fpm"}]},{"@type":"WebSite","@id":"https:\/\/nextcloud.com\/nl\/#website","url":"https:\/\/nextcloud.com\/nl\/","name":"Nextcloud","description":"Regain control over your data","publisher":{"@id":"https:\/\/nextcloud.com\/nl\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/nextcloud.com\/nl\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"nl-NL"},{"@type":"Organization","@id":"https:\/\/nextcloud.com\/nl\/#organization","name":"Nextcloud","url":"https:\/\/nextcloud.com\/nl\/","logo":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/nextcloud.com\/nl\/#\/schema\/logo\/image\/","url":"https:\/\/nextcloud.com\/c\/uploads\/2022\/10\/nextcloud-logo-blue-transparent.svg","contentUrl":"https:\/\/nextcloud.com\/c\/uploads\/2022\/10\/nextcloud-logo-blue-transparent.svg","width":"1024","height":"1024","caption":"Nextcloud"},"image":{"@id":"https:\/\/nextcloud.com\/nl\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/Nextclouders\/","https:\/\/x.com\/nextclouders","https:\/\/www.linkedin.com\/company\/10827569\/","https:\/\/youtube.com\/nextcloud","https:\/\/www.instagram.com\/nextclouders\/"]},{"@type":"Person","@id":"https:\/\/nextcloud.com\/nl\/#\/schema\/person\/c3c1a52fbc1c6a2be2f1df8818daa8c2","name":"Jos Poortvliet","image":{"@type":"ImageObject","inLanguage":"nl-NL","@id":"https:\/\/nextcloud.com\/nl\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/1c6de64891ee8c4902e1ac198f26ea5fb202d8bbaa7bce35b6a184610bbe4a3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/1c6de64891ee8c4902e1ac198f26ea5fb202d8bbaa7bce35b6a184610bbe4a3d?s=96&d=mm&r=g","caption":"Jos Poortvliet"}}]}},"featured_media_url":"https:\/\/nextcloud.com\/c\/uploads\/2019\/10\/gears.jpg","_links":{"self":[{"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/posts\/6881","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/comments?post=6881"}],"version-history":[{"count":0,"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/posts\/6881\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/media\/6882"}],"wp:attachment":[{"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/media?parent=6881"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/categories?post=6881"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nextcloud.com\/nl\/wp-json\/wp\/v2\/tags?post=6881"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}