Applicable to:
- Plesk for Linux
- Plesk for Windows
Situation
We have fixed a vulnerability with internal ID #PFSI-61276 that can be used by an unprivileged user to gain administrator privileges.
Impact
A subscription owner can read arbitrary files on behalf of the psaadm system user. Consequently, in Plesk for Linux, a subscription owner can log in to Plesk as admin, and run arbitrary code on behalf of the root system user.
Plesk versions 17.0 to 17.9 (both for Linux and Windows) are affected.
Call to Action
Install the latest Plesk updates.
To make sure that all updates are installed automatically (including security ones), go to Tools & Settings > Update and Upgrade Settings and select the Automatically install Plesk updates (Recommended) checkbox.
We have developed updates for Plesk versions which are now reached end-of life (Plesk versions 12.x) as well. But even a better solution for protecting your server from the PFSI-61276 vulnerability and from future security threats is to upgrade Plesk to the latest version. The latest stable Plesk version is the first one to receive security updates.
Note: In order to confirm that the currently installed Plesk version is no longer affected, find the update version and verify that it is not lower than following:
- Plesk Onyx 17.0.17 Update #68
- Plesk Onyx 17.5.3 Update #65
- Plesk Onyx 17.8.11 Update #49
- Plesk Onyx 17.9.13 (no updates so far, since it is testing version. Note the last digit here)
Warning: If your server uses an end-of-life OS, migrate to a newer one. Otherwise, the server will be exposed to PFSI-61276 and future vulnerabilities.
Comments
6 comments
This security issue is not mentioned in the Plesk ChangeLog. Is this issue fixed in the current latest version? 17.8.11 update 49?
@R Broersma
I added the list of versions which are confirmed to have the issue fixed. Using those or newer update versions guarantees that Plesk installation is not affected.
Is it sure that older Plesk versions (10.x, 11.x and 11.5.x) are not affected?
Hi @Jef,
While investigating a vulnerability, the development team responsible for security does not check if unsupported (including EoLed) Plesk versions are affected by the vulnerability or not.
One should believe that a version becomes insecure as soon as it reaches the end of life (stops receiving security updates).
So, in case you are still using EoL Plesk versions, the recommendation is to migrate domains on another server with supported Plesk version or upgrade Plesk in place if the used OS is supported by newer Plesk versions.
Hi Ivan, I see. Does Plesk Support Team undertake such upgrades (I mean paid upgrades) or at least would it support me if I upgrade to Plesk Onyx and I run into one or multiple issues?
Hello @Jeff,
You may start an upgrade on your own and in case of an issue during the upgrade you may contact us directly or one of our partner (if Plesk license was purchased from them).
The same for any other issues with all versions of Plesk Onyx.
An upgrade may be also made for you on a paid basis by Plesk Professional Services.
Please sign in to leave a comment.