Remote code execution through ImageMagick library (CVE-2016-3714)

Created:

2016-11-16 13:13:46 UTC

Modified:

2017-04-24 11:42:26 UTC

0

Was this article helpful?


Have more questions?

Submit a request

Remote code execution through ImageMagick library (CVE-2016-3714)

Applicable to:

  • Plesk for Linux

Symptoms

The (1) EPHEMERAL, (2) HTTPS, (3) MVG, (4) MSL, (5) TEXT, (6) SHOW, (7) WIN, and (8) PLT coders in ImageMagick before 6.9.3-10 and 7.x before 7.0.1-1 allow remote attackers to execute arbitrary code via shell metacharacters in a crafted image, aka "ImageTragick."

This critical issue got CVE-2016-3714 assigned.

Resolution

PHP packaged by Plesk team uses ImageMagick library that comes with OS distributive. Because this issue is not in our part of code Plesk team is not going to release any special patches for it. However we would like to keep our valued customers aware of the security aspects, please monitor OS vendors security updates and apply them on your server once released:

As a workaround you can follow instructions from ImageMagic and add the following block to your policy.xml file:

<policy domain="coder" rights="none" pattern="EPHEMERAL" />
<policy domain="coder" rights="none" pattern="HTTPS" />
<policy domain="coder" rights="none" pattern="MVG" />
<policy domain="coder" rights="none" pattern="MSL" />
<policy domain="coder" rights="none" pattern="TEXT" />
<policy domain="coder" rights="none" pattern="SHOW" />
<policy domain="coder" rights="none" pattern="WIN" />
<policy domain="coder" rights="none" pattern="PLT" />
Have more questions? Submit a request
Please sign in to leave a comment.