ServerPilot Is Not Vulnerable to PHP-FPM CVE-2019-11043
October 29, 2019
ServerPilot users are not at risk from the recently discovered PHP-FPM vulnerability (CVE-2019-11043). The server configuration ServerPilot uses prevents the vulnerability from being exploitable. As always, ServerPilot automatically updated all servers with the latest PHP versions that fix the vulnerability.
About the Vulnerability
The vulnerability can be exploited when PHP-FPM is used directly with Nginx under certain Nginx configurations. The vulnerability is notable due to it being in PHP-FPM itself and being remotely exploitable. An attacker only needs to be able to make an HTTP request to the server in order to take over PHP processes. The vulnerability does not rely on any specific PHP code being used by the application.
PHP-FPM is PHP's official FastCGI Process Manager (FPM). When a webserver receives a request for a PHP script, it proxies the request to PHP-FPM and waits for PHP-FPM to respond with the output that should be sent back to the client who made the request. PHP-FPM takes care of creating, reusing, and destroying PHP processes based on request load so as to efficiently use CPU and memory.
ServerPilot configures Nginx as a reverse proxy in front of Apache where Apache communicates with PHP-FPM. Because this vulnerability is exploitable when Nginx is configured to communicate directly with PHP-FPM, the vulnerablity is not exploitable in ServerPilot's configuration.
Once the updated PHP versions fixing this vulnerability were released, the security researcher who discovered the bug published additional details on GitHub.
What We've Done
We have updated all releases of PHP 7 with the patch that fixes the vulnerability.
PHP 5 is not vulnerable.
What You Need to Do
If you have customized your server's Nginx configuration to have Nginx communicate directly with PHP-FPM and you have disabled automatic updates, you should re-enable automatic updates or else your server may be vulnerable.
Contact Us With Questions
If you have any questions or concerns, don't hesitate to contact support.