Optionsbleed and cPanel

Discussion in 'Security' started by petersconsult, Sep 20, 2017.

  1. petersconsult

    petersconsult Member

    Hello All,

    After reading this Ars article, i freaked out a little; tried running the 'test' to see whether my system is affected, but found nothing out of the ordinary:
    for i in {1..100}; do curl -sI -X OPTIONS https://yoursite.tld/|grep -i "allow:"; done
    They recommend installing this patch (for Apache 2.4), but i'm not quite clear on the procedure..

    Is the patch even necessary?
    Running CentOS 7.3 x64 ; cPanel v66.0.23 ; Apache 2.4 . All software is latest (i.e.: yum update says 'No packages marked for update')
  2. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    An official patch has not been released yet, but when it is we'll be applying it across the board of course to anyone on EasyApache 4. Once a patch makes it through the official channels anyone on EasyApache 3 would need to run a rebuild.

    Per https://access.redhat.com/security/cve/CVE-2017-9798 the criteria for this to be possible is pretty small and only if you have incorrect .htaccess rules setup.
  3. petersconsult

    petersconsult Member

    Thank you for the info!
    I am, indeed, using EasyApache 4

    Also, it seems that, for this bug to cause problems, you have to use a 'Limit' directive in an htaccess file that calls a non-existing method..
    I guess that makes 99% of us safe..

    Sorry about my freakout... And thank you for the prompt response!
  4. KH-Jonathan

    KH-Jonathan Director of Managed Services Staff Member

    The patch is syncing out to RPM mirrors right now and will be updated on all EA4 systems within the next 24-48 hours.

    The fix is in ea-apache24-2.4.27-8.8.1.cpanel.x86_64 and newer.

Share This Page