- Plesk Onyx for Linux
- Plesk 12.5 for Linux
Vulnerability CVE-2018-12029 was discovered in Phusion Passenger.
A race condition in the nginx module in Phusion Passenger 3.x through 5.x before 5.3.2 allows local escalation of privileges when a non-standard
passenger_instance_registry_dir with insufficiently strict permissions is configured.
In Apache error log,
/var/log/httpd/error_log for Centos/RedHat based,
/var/log/apache2/error_log for Debian/Ubuntu the following security notice is shown:
CONFIG_TEXT: [ age/Cor/SecurityUpdateChecker.h:376 ]: A security update is available for your version (5.1.x) of Passenger, we strongly recommend upgrading to version 5.3.2.
[ age/Cor/SecurityUpdateChecker.h:381 ]: Additional information: - [Fixed in 5.3.2] [CVE-2018-12026, 12027, and 12028] These are local denial of service, local information disclosure and local privilege escalation vulnerabilities that could be exploited by malicious applications or malicious users on the system.
Default Passenger configuration shipped by Plesk is not affected.
passenger_instance_registry_dir directive has been changed in configuration of Passenger, then privilege escalation may be possible.
Call to action
Upgrade to Plesk Onyx 17.8 in order to avoid the issue completely.
Also, despite the fact that by default configuration shipped with Plesk is not affected, Passenger is upgraded to non-affected version in Plesk Onyx 17.8 already and is going to be upgraded in Plesk Onyx 17.5 later.
In case passenger_instance_registry_dir directive was customized manually, revert the changes in case upgrade to Plesk Onyx 17.8 is not an option.