• Overview
    Key features
    • Observability
    • Auto-scaling
    • Multiframework
    • Security
    • Django
    • Next.js
    • Drupal
    • WordPress
    • Symfony
    • Magento
    • See all frameworks
    • PHP
    • Python
    • Node.js
    • Ruby
    • Java
    • Go
  • Industries
    • Consumer Goods
    • Media/Entertainment
    • Higher Education
    • Government
    • Ecommerce
  • Pricing
  • Featured articles
    • Switching to Platform.sh can help IT/DevOps organizations drive 219% ROI
    • Organizations, the ultimate way to manage your users and projects
  • Support
  • Docs
  • Login
  • Request a demo
  • Free Trial
Meet Upsun. The new, self-service, fully managed PaaS, powered by Platform.sh.Try it now
PHP devs: Platform.sh protects you from CVE-2019-11043

PHP devs: Platform.sh protects you from CVE-2019-11043

30 October, 2019
Larry Garfield
Larry Garfield
Director of Developer Experience

Last week, the PHP development team released PHP 7.1.33, 7.2.24, and 7.3.11, all of which fix a security vulnerability in the PHP-FPM process manager tool used by most PHP hosting environments, including Platform.sh. The bug in question, dubbed CVE-2019-11043, would have allowed for, potentially, remote code execution exploits (i.e., really bad news).

If you're on Platform.sh, though, don't worry; you're already safe.

The bug involves sending specially crafted URLs to the server, triggering a string parsing error, which causes the server to expose memory it shouldn't. That means the bug is dependent on the web server configuration allowing such specially crafted URLs through. The Hacker News has a more detailed write-up for those interested in the details.

Unfortunately, many of the most common Nginx configurations allow such sneaky URLs.

Fortunately, Platform.sh's Nginx configuration does not. Rather, hostile URLs are blocked before they reach PHP-FPM in the first place. That makes the bug unexploitable on Platform.sh.

We're still upgrading our PHP application images to the new releases. Updates are rolling out today.

  • If you're on Platform.sh Dedicated, the update is fully transparent.
  • If you're on Platform.sh Professional, the new PHP versions will automatically be used the next time you deploy.
  • If you want to make sure you're running the latest version, but have no new code to push, run platform redeploy from the Platform.sh command line, and you're good to go.

If you're not running on Platform.sh, please stop what you're doing and go upgrade your PHP version, adjust your Nginx configuration, or both.

If you're on PHP versions older than 7.1, you're running an unsupported version of PHP; that means no fix to PHP itself will be released. Because the Nginx configuration is the same on all of our PHP versions, you’re still protected from this exploit on Platform.sh. However, we encourage you to take this opportunity to upgrade your application to a supported PHP version, 7.2 or above. PHP 7.1 will go out of security support in one month, with the release of PHP 7.4.

Although Platform.sh has no immediate plans to remove old PHP versions from our offering, we do strongly urge all users to use a fully supported PHP version: 7.2 or higher, or ideally 7.3 (which will become the legacy version later this year). Fortunately, and as usual, upgrades are dead-simple; you need only change one character in your .platform.app.yaml file:

type: php:7.3

And then push. (Try it in a branch first, of course. That's what easy branch environments are for!)

Get the latest Platform.sh news and resources

Related Content

A festive treat: PHP 8.3 is already available on Platform.sh

A festive treat: PHP 8.3 is already available on Platform.sh

AboutSecurity and complianceTrust CenterCareersPressContact us
Thank you for subscribing!
Field required
Leader Winter 2023
System StatusPrivacyTerms of ServiceImpressumWCAG ComplianceAcceptable Use PolicyManage your cookie preferencesReport a security issue
© 2024 Platform.sh. All rights reserved.
Supported by Horizon 2020's SME Instrument - European Commission 🇪🇺