Optionsbleed and cPanel

Hello All,

After reading this Ars article, i freaked out a little; tried running the 'test' to see whether my system is affected, but found nothing out of the ordinary:
Code:
for i in {1..100}; do curl -sI -X OPTIONS https://yoursite.tld/|grep -i "allow:"; done
They recommend installing this patch (for Apache 2.4), but i'm not quite clear on the procedure..

Is the patch even necessary?
Running CentOS 7.3 x64 ; cPanel v66.0.23 ; Apache 2.4 . All software is latest (i.e.: yum update says 'No packages marked for update')
 

KH-Jonathan

Director of Managed Services
Staff member
An official patch has not been released yet, but when it is we'll be applying it across the board of course to anyone on EasyApache 4. Once a patch makes it through the official channels anyone on EasyApache 3 would need to run a rebuild.

Per https://access.redhat.com/security/cve/CVE-2017-9798 the criteria for this to be possible is pretty small and only if you have incorrect .htaccess rules setup.
 
Thank you for the info!
I am, indeed, using EasyApache 4

Also, it seems that, for this bug to cause problems, you have to use a 'Limit' directive in an htaccess file that calls a non-existing method..
I guess that makes 99% of us safe..

Sorry about my freakout... And thank you for the prompt response!
 

KH-Jonathan

Director of Managed Services
Staff member
Thank you for the info!
I am, indeed, using EasyApache 4

Also, it seems that, for this bug to cause problems, you have to use a 'Limit' directive in an htaccess file that calls a non-existing method..
I guess that makes 99% of us safe..

Sorry about my freakout... And thank you for the prompt response!
The patch is syncing out to RPM mirrors right now and will be updated on all EA4 systems within the next 24-48 hours.

The fix is in ea-apache24-2.4.27-8.8.1.cpanel.x86_64 and newer.
 
Top