[Security] CVE-2017-7529 Integer overflow in the range filter

Created:

2017-08-10 11:46:14 UTC

Modified:

2017-08-10 12:33:37 UTC

0

Was this article helpful?


Have more questions?

Submit a request

[Security] CVE-2017-7529 Integer overflow in the range filter

Applicable to:

  • Plesk 12.0 for Linux
  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

General information

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range filter module resulting into leak of potentially sensitive information triggered by specially crafted request.

For more information, please refer to the following resource:

Vulnerability Details : CVE-2017-7529

Resolution

As it is described in vulnerability description the issue can be fixed by upgrade to nginx 1.13.3 or at leas 1.12.1. However, it is not possible to upgrade nginx package on Plesk server because it uses own sw-nginx build.

The issue is submitted as bug #PPPM-6714 and will be fixed in future Plesk releases.

As a workaround, perform the following:

  • Connect to the server using SSH

  • create additional configuration file for nginx and add max_ranges directive

    # cat /etc/nginx/conf.d/cve.conf
    
    max_ranges 1;
  • restart nginx service to apply changes:

    # service nginx restart 
    
Have more questions? Submit a request
Please sign in to leave a comment.