Dear all,

On October 22, there's a vulnerability found in php-fpm which could lead to remote code execution. iRedMail users asked whether it affects our iRedMail server, the short answer is: iRedMail is not affected and safe with default Nginx/PHP-FPM configurations, you don't need to do anything with default iRedMail configuration or web applications shipped by iRedMail or iRedMail Easy.

General Solution

1: Upgrade PHP to the latest stable release (7.1.33, 7.2.14, 7.3.11) to fix this issue. You may need to wait for your Linux/BSD vendor to roll out the new version with the patch applied.
2: Step #1 should be enough to fix the issue, but better update Nginx configuration and replace the `fastcgi_split_path_info` directive by following upstream of your web applications.

Details

2 softwares are involved in this issue:

• Nginx. It uses Nginx directive "fastcgi_split_path_info" to parse path info and forward to php-fpm.

• php-fpm. FPM parses the forwarded request, if the requested file doesn't exist, it tries to get file/path from request url.

iRedMail doesn't use "fastcgi_split_path_info" in Nginx. Although Nginx package ships file /etc/nginx/snippets/fastcgi-php.conf on some Linux distributions which uses "fastcgi_split_path_info", but this snippet file is not used by iRedMail or iRedMail Easy at all. We use /etc/nginx/templates/fastcgi_php.tmpl and /etc/nginx/templates/php_catchall.tmpl, both don't use `fastcgi_split_path_info` directive.

OwnCloud and NextCloud are affected

NextCloud published fix on their blog, please follow it to fix the issue immediately:

- Urgent security issue in NGINX/php-fpm:
  https://nextcloud.com/blog/urgent-secur … x-php-fpm/

If you deployed OwnCloud and NextCloud on your server (both are not offered by iRedMail or iRedMail Easy), i believe they both are affected. Their URL schema is `/xxx.php/yyy`. With the usage of `fastcgi_split_path_info` in NextCloud's Nginx snippet config, it will trigger the bug. But all web applications offered by iRedMail or iRedMail Easy don't use such URL schema and no `fastcgi_split_path_info`, Nginx will throw `404 Not Found` error instead of triggering this bug.

Warning: If you have other web applications deployed, please check related Nginx config file and make sure they don't use directive `fastcgi_split_path_info`, otherwise they're affected too.

See also

For more details about the vulnerability itself, please check links below:

- Sec Bug #78599: env_path_info underflow in fpm_main.c can lead to RCE:
  https://bugs.php.net/bug.php?id=78599

- Web servers using nginx and PHP-FPM are vulnerable to this flaw under certain conditions.:
  https://www.tenable.com/blog/cve-2019-1 … n-on-nginx