CVE-2019-11043
CRITICALCVSS 9.8/10Actively ExploitedEPSS 99.47%
Last modified
CVE-2019-11043 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.. CISA has confirmed active exploitation in the wild. EPSS estimates a 99.47% chance of exploitation in the next 30 days.
Description
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Exploitation Status
This vulnerability is listed in CISA’s Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. Federal agencies must remediate by .
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Php | Php | >= 7.1.0, < 7.1.33 |
| Php | Php | >= 7.2.0, < 7.2.24 |
| Php | Php | >= 7.3.0, < 7.3.11 |
| Canonical | Ubuntu Linux | 12.04 |
| Canonical | Ubuntu Linux | 14.04 |
| Canonical | Ubuntu Linux | 16.04 |
| Canonical | Ubuntu Linux | 18.04 |
| Canonical | Ubuntu Linux | 19.04 |
| Canonical | Ubuntu Linux | 19.10 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Fedoraproject | Fedora | 29 |
| Fedoraproject | Fedora | 30 |
| Fedoraproject | Fedora | 31 |
| Tenable | Tenable.Sc | < 5.19.0 |
| Redhat | Software Collections | 1.0 |
| Redhat | Enterprise Linux | 8.0 |
| Redhat | Enterprise Linux Desktop | 6.0 |
| Redhat | Enterprise Linux Desktop | 7.0 |
| Redhat | Enterprise Linux Eus | 7.7 |
| Redhat | Enterprise Linux Eus | 8.1 |
| Redhat | Enterprise Linux Eus | 8.2 |
| Redhat | Enterprise Linux Eus | 8.4 |
| Redhat | Enterprise Linux Eus | 8.6 |
| Redhat | Enterprise Linux Eus | 8.8 |
| Redhat | Enterprise Linux Eus Compute Node | 7.7 |
| Redhat | Enterprise Linux For Arm 64 | 8.0_aarch64 |
| Redhat | Enterprise Linux For Arm 64 Eus | 8.1_aarch64 |
| Redhat | Enterprise Linux For Arm 64 Eus | 8.2_aarch64 |
| Redhat | Enterprise Linux For Arm 64 Eus | 8.4_aarch64 |
| Redhat | Enterprise Linux For Arm 64 Eus | 8.6_aarch64 |
| Redhat | Enterprise Linux For Arm 64 Eus | 8.8_aarch64 |
| Redhat | Enterprise Linux For Ibm Z Systems | 6.0_s390x |
| Redhat | Enterprise Linux For Ibm Z Systems | 7.0_s390x |
| Redhat | Enterprise Linux For Ibm Z Systems | 8.0_s390x |
| Redhat | Enterprise Linux For Ibm Z Systems Eus | 7.7_s390x |
| Redhat | Enterprise Linux For Ibm Z Systems Eus | 8.1_s390x |
| Redhat | Enterprise Linux For Ibm Z Systems Eus | 8.2_s390x |
| Redhat | Enterprise Linux For Ibm Z Systems Eus | 8.4_s390x |
| Redhat | Enterprise Linux For Ibm Z Systems Eus | 8.6_s390x |
| Redhat | Enterprise Linux For Ibm Z Systems Eus | 8.8_s390x |
| Redhat | Enterprise Linux For Power Big Endian | 6.0_ppc64 |
| Redhat | Enterprise Linux For Power Big Endian | 7.0_ppc64 |
| Redhat | Enterprise Linux For Power Big Endian Eus | 7.7_ppc64 |
| Redhat | Enterprise Linux For Power Little Endian | 7.0_ppc64le |
| Redhat | Enterprise Linux For Power Little Endian | 8.0_ppc64le |
| Redhat | Enterprise Linux For Power Little Endian Eus | 7.7_ppc64le |
| Redhat | Enterprise Linux For Power Little Endian Eus | 8.1_ppc64le |
| Redhat | Enterprise Linux For Power Little Endian Eus | 8.2_ppc64le |
| Redhat | Enterprise Linux For Power Little Endian Eus | 8.4_ppc64le |
Showing 50 of 66 affected configurations. See NVD for the full list.
References
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.htmlMailing List, Third Party Advisory
- http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- http://seclists.org/fulldisclosure/2020/Jan/40Mailing List, Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3286Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3287Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3299Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3300Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3724Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3735Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3736Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0322Third Party Advisory
- https://bugs.php.net/bug.php?id=78599Exploit, Issue Tracking, Patch, Vendor Advisory
- https://github.com/neex/phuip-fpizdamExploit, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2020/Jan/44Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191031-0003/Third Party Advisory
- https://support.apple.com/kb/HT210919Third Party Advisory
- https://usn.ubuntu.com/4166-1/Third Party Advisory
- https://usn.ubuntu.com/4166-2/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4552Mailing List, Third Party Advisory
- https://www.debian.org/security/2019/dsa-4553Mailing List, Third Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_36Third Party Advisory
- https://www.tenable.com/security/tns-2021-14Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.htmlMailing List, Third Party Advisory
- http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.htmlExploit, Third Party Advisory, VDB Entry
- http://seclists.org/fulldisclosure/2020/Jan/40Mailing List, Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3286Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3287Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3299Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3300Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3724Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3735Third Party Advisory
- https://access.redhat.com/errata/RHSA-2019:3736Third Party Advisory
- https://access.redhat.com/errata/RHSA-2020:0322Third Party Advisory
- https://bugs.php.net/bug.php?id=78599Exploit, Issue Tracking, Patch, Vendor Advisory
- https://github.com/neex/phuip-fpizdamExploit, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/Mailing List, Third Party Advisory
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/Mailing List, Third Party Advisory
- https://seclists.org/bugtraq/2020/Jan/44Mailing List, Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191031-0003/Third Party Advisory
- https://support.apple.com/kb/HT210919Third Party Advisory
- https://usn.ubuntu.com/4166-1/Third Party Advisory
- https://usn.ubuntu.com/4166-2/Third Party Advisory
- https://www.debian.org/security/2019/dsa-4552Mailing List, Third Party Advisory
- https://www.debian.org/security/2019/dsa-4553Mailing List, Third Party Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_36Third Party Advisory
- https://www.tenable.com/security/tns-2021-14Third Party Advisory
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-11043US Government Resource
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2019-11043?
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
How severe is CVE-2019-11043?
CVE-2019-11043 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 99.47% probability of exploitation in the next 30 days. This vulnerability is listed in CISA's Known Exploited Vulnerabilities catalog.
How do I fix CVE-2019-11043?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2019-11043?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST