[Security] CVE-2015-8994 PHP OpCache vulnerability

Refers to:

  • Plesk 12.5 for Linux
  • Plesk Onyx for Linux

Created:

2017-03-10 14:41:34 UTC

Modified:

2017-03-20 09:46:30 UTC

1

Was this article helpful?


Have more questions?

Submit a request

[Security] CVE-2015-8994 PHP OpCache vulnerability

General information

The vulnerability was registered on March, 2. It affects installations where PHP-FPM with Zend OpCache is used: a subscription user can include PHP files of the other subscription user and read sensitive variables' values. An application (e.g. WordPress) database credentials can be compromised. Often, full subscription can be compromised.

PHP 7 prior to version 7.0.14 and PHP 5 prior to version 5.6.29 are vulnerable. The older versions are vulnerable too by default, unless opcache.validate_permission is enabled.

For more information, please refer to the following resources:

Vulnerability Summary for CVE-2015-8994 - NIST publication

https://bugs.php.net/bug.php?id=69090

https://bugs.php.net/bug.php?id=74182

OPcache README commit 

 

Resolution

This issue is fixed in:

As a temporary workaround for the issue, go to Websites & Domains > PHP Settings and set opcache.enable to off.

Please also note that such change can decrease server performance. 

Have more questions? Submit a request
Please sign in to leave a comment.