EMERGENCY cPanel Update for 0day exploits - GoFuckYourself.com

BradBreakfast · 12-04-2012, 05:47 PM

Hey guys -- I received an emergency e-mail from cPanel today that said there are new 0day exploits that have been found for cPanel servers and that some automatic updates failed due to the amount of traffic their update servers were receiving.

MAKE SURE when you login to cPanel WHM ROOT that is displays the version: WHM 11.34.0 (build 11) at the top. If it displays any lower version (like build 9) you need to update it.

-----------
E-mail from cPanel
-----------

Version 11.34.0.11 of cPanel & WHM addresses all known vulnerabilities. The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net.

Security Issue Information

The resolved security issues were identified by various members of the development and quality assurance teams at cPanel. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities.

Once sufficient time has passed to allow cPanel & WHM systems to automatically update their installed software to the new versions, cPanel will release additional information regarding the nature of the security issue. This Targeted Security Release addresses five vulnerabilities. Additional information is scheduled to be released December 6, 2012, via email.

V_RocKs · 12-04-2012, 05:59 PM

received that 24 hours ago...

AndrewX · 12-04-2012, 06:02 PM

What else is new? We believe they are largely responsible for a lot of bad web hosting experiences inflicted upon the poor website and application developers whose clients end up using them. From a systems administration perspective they make a horrible mess and in turn make the systems administrators very unhappy.

Cpanel compiles its own versions of software, the work required to apply patches to all of these custom compiled versions is immense and is usually performed by the operating system vendor (Microsoft, Red Hat etc). One of the results is a particularly poor security track record because the applications simply aren't patched as quickly or as methodically as they could/should be.

It also stores configuration and log files in non standard locations. When you're dealing with very complex operating systems which administrators spend years learning how to use, this means, staring a Linux server upon which cpanel has been installed their years of experience is not worth nearly as much as it should be. This means problems are harder to find, harder fix, slower and more costly to resolve. Which of course makes diagnostics and support very difficult and outages are longer.

Software versions are either terribly old, or so cutting edge that they breaks things. In the case of CPanel it takes an innovative approach to patch application. Normally, when an application is released, as bugs are found patches are released. Concurrently new versions of the same application are released. When a new version is released at first it wont have any bugs but over time they are found and patches are subsequently released. The cycle goes on. Normally, application vendors continue to release patches for both the new and the old versions of the applications they have released for the supported life (variable in length, but often up to 7 years) of the application. CPanel takes a different approach, rather than applying the patches to the existing versions of the applications, it simply upgrades them to the newest version in which bugs have not yet been found.
Why is this a problem? Take a hosting server which contains potentially hundreds of different websites all built by different website developers. A hosting company can't (and won't) test version upgrades on every site because it's simply not possible. They apply the updates and every time risk (or simply do) breaking many of the websites they hosting due incompatibilities in client code between application versions.

We prefer to use our low-resource and low-memory-footprint version of Virtualmin. You can practically do everything with it, and if you can not, our hosting is fully managed anyway. Drop us an email and we will do it for you.

12-04-2012, 05:47 PM	#1
BradBreakfast Confirmed User Join Date: Feb 2008 Posts: 415	EMERGENCY cPanel Update for 0day exploits Hey guys -- I received an emergency e-mail from cPanel today that said there are new 0day exploits that have been found for cPanel servers and that some automatic updates failed due to the amount of traffic their update servers were receiving. MAKE SURE when you login to cPanel WHM ROOT that is displays the version: WHM 11.34.0 (build 11) at the top. If it displays any lower version (like build 9) you need to update it. ----------- E-mail from cPanel ----------- Version 11.34.0.11 of cPanel & WHM addresses all known vulnerabilities. The latest public releases of cPanel & WHM for all update tiers are published at http://httpupdate.cpanel.net. Security Issue Information The resolved security issues were identified by various members of the development and quality assurance teams at cPanel. There is no reason to believe that these vulnerabilities are known to the public. As such, cPanel will only release limited information regarding the vulnerabilities. Once sufficient time has passed to allow cPanel & WHM systems to automatically update their installed software to the new versions, cPanel will release additional information regarding the nature of the security issue. This Targeted Security Release addresses five vulnerabilities. Additional information is scheduled to be released December 6, 2012, via email. __________________ GetClicky - The World's Most Advanced Real Time Ajax-based Analytics

12-04-2012, 06:02 PM	#3
AndrewX Confirmed User Industry Role: Join Date: Jan 2004 Posts: 574	What else is new? We believe they are largely responsible for a lot of bad web hosting experiences inflicted upon the poor website and application developers whose clients end up using them. From a systems administration perspective they make a horrible mess and in turn make the systems administrators very unhappy. Cpanel compiles its own versions of software, the work required to apply patches to all of these custom compiled versions is immense and is usually performed by the operating system vendor (Microsoft, Red Hat etc). One of the results is a particularly poor security track record because the applications simply aren't patched as quickly or as methodically as they could/should be. It also stores configuration and log files in non standard locations. When you're dealing with very complex operating systems which administrators spend years learning how to use, this means, staring a Linux server upon which cpanel has been installed their years of experience is not worth nearly as much as it should be. This means problems are harder to find, harder fix, slower and more costly to resolve. Which of course makes diagnostics and support very difficult and outages are longer. Software versions are either terribly old, or so cutting edge that they breaks things. In the case of CPanel it takes an innovative approach to patch application. Normally, when an application is released, as bugs are found patches are released. Concurrently new versions of the same application are released. When a new version is released at first it wont have any bugs but over time they are found and patches are subsequently released. The cycle goes on. Normally, application vendors continue to release patches for both the new and the old versions of the applications they have released for the supported life (variable in length, but often up to 7 years) of the application. CPanel takes a different approach, rather than applying the patches to the existing versions of the applications, it simply upgrades them to the newest version in which bugs have not yet been found. Why is this a problem? Take a hosting server which contains potentially hundreds of different websites all built by different website developers. A hosting company can't (and won't) test version upgrades on every site because it's simply not possible. They apply the updates and every time risk (or simply do) breaking many of the websites they hosting due incompatibilities in client code between application versions. We prefer to use our low-resource and low-memory-footprint version of Virtualmin. You can practically do everything with it, and if you can not, our hosting is fully managed anyway. Drop us an email and we will do it for you. __________________ █ ► XenLayer - Paravirtualization Professionals since 2008 - [ICQ: 297820698] █ ► Reseller Hosting \| OpenVZ VPS \| XEN VPS \| Dedicated Servers

12-04-2012, 05:59 PM	#2
V_RocKs Damn Right I Kiss Ass! Industry Role: Join Date: Dec 2003 Location: Cowtown, USA Posts: 32,303	received that 24 hours ago...