OUR BLOG

Keep up with the latest web trends and Hosting UK news.

Blog Home → cPanel PHP / EasyApache3 Advisory

cPanel PHP / EasyApache3 Advisory

Posted on by Anthony Hogbin

For those users using cPanel on their VPS or dedicated servers – there has been an advisory released regarding EasyApache3 and PHP – specifically the GD module.

If you are using EasyApache4 then the RPM’s will have happily downloaded and upgraded without your intervention (unless you have set it to otherwise).

This is a live vulnerability and we are seeing this being used. So please do take a moment – check your cPanel is up to date (version 60.5) and that if EasyApache3 (type it in the search box and click on it) is enabled (it will tell you that you are using EA4 if you are at this point) – you *need* to be recompiling that this week, if not now.

If you are in a position to – you may wish to explore the EA4 option moving forwards (OS dependant)

Be sure to select the Apache2 2.4 version if you make any use of PayPal or similar gateways for payments.

If you would like any advice on this – do not hesitate to contact us.

Happy Patching

Advisory below.

============== ADVISORY ===============

    SUMMARY
    cPanel, Inc. has released EasyApache 3.34.7 with PHP version 5.6.27. This release addresses vulnerabilities related to CVE-2016-7568. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.27. 
     
    AFFECTED VERSIONS
    All versions of PHP 5.6 through version 5.6.26
     
    SECURITY RATING
    The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
     
    CVE-2016-7568 - HIGH
    
    PHP 5.6.26
    Fixed bug in GD module related to CVE-2016-7568
    
    
    SOLUTION
    cPanel, Inc. has released EasyApache 3.34.7 with an updated version of PHP 5.6.27. Unless you have disabled EasyApache updates, the EasyApache application updates to the latest version when launched. Run EasyApache to rebuild your profile with the latest version of PHP.
     
    REFERENCES
    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7568
    http://php.net/ChangeLog-5.php
    
    
    
    SUMMARY
    cPanel, Inc. has released updated RPMs for EasyApache 4 on September 20, 2016, with PHP versions 5.6.27 and 7.0.12. This release addresses vulnerabilities related to CVE-2016-7568. We strongly encourage all PHP 5.6 users to upgrade to version 5.6.27 and all PHP 7.0 users to upgrade to version 7.0.12.
     
     
    AFFECTED VERSIONS
    All versions of PHP 5.6 through version 5.6.26
    All versions of PHP 7.0 through version 7.0.11
     
    SECURITY RATING
    The National Vulnerability Database (NIST) has given the following severity ratings to these CVEs:
     
    CVE-2016-7568 - HIGH
    
    PHP 5.6.26
    Fixed bug in GD module related to CVE-2016-7568
    
    PHP 7.0.11
    Fixed bug in GD module related to CVE-2016-7568
    
    
    SOLUTION
    cPanel, Inc. has released updated RPMs for EasyApache 4 on October 18, 2016, with updated versions of PHP 5.6.27 and 7.0.12. Unless you have enabled automatic RPM updates in your cron, update your system with either yum update or WHM's Run System Update interface.
     
    REFERENCES
    https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7568
    http://php.net/ChangeLog-5.php
    http://www.php.net/ChangeLog-7.php

============== ADVISORY ===============