Security Advisory: Serious cPanel Vulnerabilities
Posted by Kevin Stange on 19 January 2016 03:16 PM |
|
Update 1/26: cPanel has disclosed the nature of 20 vulnerabilities fixed by this set of updates. Some of these vulnerabilities permit unauthenticated execution of arbitrary code and reading of any file on the system by a remote attacker. See the full disclosure announcement in the links at the bottom of this post for details. Several vulnerabilities have recently been reported affecting all current cPanel releases. This set of vulnerabilities has been reported to be serious but details have not yet been disclosed. cPanel is urging all users to upgrade to a version containing the security fixes immediately, before the details are made available. The following versions of cPanel address the vulnerabilities:
If you are running a version of cPanel prior to 11.48, you must upgrade to 11.48 or later to fix these issues. cPanel 11.46 and earlier are no longer supported and patches will not be made available. The vulnerability has been labeled "TSR-2016-0001" by cPanel. No CVE numbers or descriptions have been published. To verify your system is running the correct cPanel version, log into WHM and look for a version number at the top right of the screen in the following format: WHM 11.54.0 (build 4) For the purpose of reading the version, treat "1.54.0 (build 4)" as "1.54.0.4". The version should be greater than or equal to a version in the list above. If your version does not match, from WHM, follow these steps:
Alternatively, you may run the following command to check the version number via SSH: cat /usr/local/cpanel/version If the version does not match, run the following command to update cPanel via SSH: /usr/local/cpanel/scripts/upcp Once the upgrade is completed, please verify the version number again to make sure the upgrade was successful. cPanel published the following advisories regarding these vulnerabilities: If you have any questions or need assistance performing this upgrade, please contact us and we'll be happy to help. | |