PHP devs: Platform.sh protects you from CVE-2019-11043

Larry Garfield
Documentation Director
30 Oct 2019

Last week, the PHP development team released PHP 7.1.33, 7.2.24, and 7.3.11, all of which fix a security vulnerability in the PHP-FPM process manager tool used by most PHP hosting environments, including Platform.sh. The bug in question, dubbed CVE-2019-11043, would have allowed for, potentially, remote code execution exploits (i.e., really bad news).

If you’re on Platform.sh, though, don’t worry; you’re already safe.

The bug involves sending specially crafted URLs to the server, triggering a string parsing error, which causes the server to expose memory it shouldn’t. That means the bug is dependent on the web server configuration allowing such specially crafted URLs through. The Hacker News has a more detailed write-up for those interested in the details.

Unfortunately, many of the most common Nginx configurations allow such sneaky URLs.

Fortunately, Platform.sh’s Nginx configuration does not. Rather, hostile URLs are blocked before they reach PHP-FPM in the first place. That makes the bug unexploitable on Platform.sh.

We’re still upgrading our PHP application images to the new releases. Updates are rolling out today.

  • If you’re on Platform.sh Dedicated, the update is fully transparent.
  • If you’re on Platform.sh Professional, the new PHP versions will automatically be used the next time you deploy.
  • If you want to make sure you’re running the latest version, but have no new code to push, run platform redeploy from the Platform.sh command line, and you’re good to go.

If you’re not running on Platform.sh, please stop what you’re doing and go upgrade your PHP version, adjust your Nginx configuration, or both.

If you’re on PHP versions older than 7.1, you’re running an unsupported version of PHP; that means no fix to PHP itself will be released. Because the Nginx configuration is the same on all of our PHP versions, you’re still protected from this exploit on Platform.sh. However, we encourage you to take this opportunity to upgrade your application to a supported PHP version, 7.2 or above. PHP 7.1 will go out of security support in one month, with the release of PHP 7.4.

Although Platform.sh has no immediate plans to remove old PHP versions from our offering, we do strongly urge all users to use a fully supported PHP version: 7.2 or higher, or ideally 7.3 (which will become the legacy version later this year). Fortunately, and as usual, upgrades are dead-simple; you need only change one character in your .platform.app.yaml file:

type: php:7.3

And then push. (Try it in a branch first, of course. That’s what easy branch environments are for!)