First published: Tue Oct 22 2019(Updated: )
apache_mod_php. Multiple issues were addressed by updating to PHP version 7.3.11.
Credit: security@php.net CVE-2019-11043 security@php.net security@php.net
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/php | <0:5.3.3-50.el6_10 | 0:5.3.3-50.el6_10 |
redhat/php | <0:5.4.16-46.1.el7_7 | 0:5.4.16-46.1.el7_7 |
redhat/php | <0:5.4.16-46.1.el7_6 | 0:5.4.16-46.1.el7_6 |
redhat/rh-php70-php | <0:7.0.27-2.el6 | 0:7.0.27-2.el6 |
redhat/rh-php72-php | <0:7.2.24-1.el7 | 0:7.2.24-1.el7 |
redhat/rh-php71-php | <0:7.1.30-2.el7 | 0:7.1.30-2.el7 |
redhat/rh-php70-php | <0:7.0.27-2.el7 | 0:7.0.27-2.el7 |
PHP PHP | >=7.1.0<7.1.33 | |
PHP PHP | >=7.2.0<7.2.24 | |
PHP PHP | >=7.3.0<7.3.11 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Canonical Ubuntu Linux | =18.04 | |
Canonical Ubuntu Linux | =19.04 | |
Canonical Ubuntu Linux | =19.10 | |
Debian Debian Linux | =9.0 | |
Debian Debian Linux | =10.0 | |
Apple macOS Catalina | <10.15.3 | 10.15.3 |
Apple Mojave | ||
Apple High Sierra | ||
PHP PHP | <7.1.33 | 7.1.33 |
redhat/php | <7.3.11 | 7.3.11 |
redhat/php | <7.2.24 | 7.2.24 |
redhat/php | <7.1.33 | 7.1.33 |
Fedoraproject Fedora | =29 | |
Fedoraproject Fedora | =30 | |
Fedoraproject Fedora | =31 | |
Tenable Tenable.sc | <5.19.0 | |
Redhat Software Collections | =1.0 | |
Redhat Enterprise Linux | =8.0 | |
Redhat Enterprise Linux Desktop | =6.0 | |
Redhat Enterprise Linux Desktop | =7.0 | |
Redhat Enterprise Linux Eus | =7.7 | |
Redhat Enterprise Linux Eus | =8.1 | |
Redhat Enterprise Linux Eus | =8.2 | |
Redhat Enterprise Linux Eus | =8.4 | |
Redhat Enterprise Linux Eus | =8.6 | |
Redhat Enterprise Linux Eus | =8.8 | |
Redhat Enterprise Linux Eus Compute Node | =7.7 | |
Redhat Enterprise Linux For Arm 64 | =8.0_aarch64 | |
Redhat Enterprise Linux For Arm 64 Eus | =8.1_aarch64 | |
Redhat Enterprise Linux For Arm 64 Eus | =8.2_aarch64 | |
Redhat Enterprise Linux For Arm 64 Eus | =8.4_aarch64 | |
Redhat Enterprise Linux For Arm 64 Eus | =8.6_aarch64 | |
Redhat Enterprise Linux For Arm 64 Eus | =8.8_aarch64 | |
Redhat Enterprise Linux For Ibm Z Systems | =6.0_s390x | |
Redhat Enterprise Linux For Ibm Z Systems | =7.0_s390x | |
Redhat Enterprise Linux For Ibm Z Systems | =8.0_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =7.7_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.1_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.2_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.4_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.6_s390x | |
Redhat Enterprise Linux For Ibm Z Systems Eus | =8.8_s390x | |
Redhat Enterprise Linux For Power Big Endian | =6.0_ppc64 | |
Redhat Enterprise Linux For Power Big Endian | =7.0_ppc64 | |
Redhat Enterprise Linux For Power Big Endian Eus | =7.7_ppc64 | |
Redhat Enterprise Linux For Power Little Endian | =7.0_ppc64le | |
Redhat Enterprise Linux For Power Little Endian | =8.0_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =7.7_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.1_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.2_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.4_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.6_ppc64le | |
Redhat Enterprise Linux For Power Little Endian Eus | =8.8_ppc64le | |
Redhat Enterprise Linux For Scientific Computing | =7.0 | |
Redhat Enterprise Linux Server | =6.0 | |
Redhat Enterprise Linux Server | =7.0 | |
Redhat Enterprise Linux Server Aus | =7.7 | |
Redhat Enterprise Linux Server Aus | =8.2 | |
Redhat Enterprise Linux Server Aus | =8.4 | |
Redhat Enterprise Linux Server Aus | =8.6 | |
Redhat Enterprise Linux Server Tus | =7.7 | |
Redhat Enterprise Linux Server Tus | =8.2 | |
Redhat Enterprise Linux Server Tus | =8.4 | |
Redhat Enterprise Linux Server Tus | =8.6 | |
Redhat Enterprise Linux Server Tus | =8.8 | |
Redhat Enterprise Linux Workstation | =6.0 | |
Redhat Enterprise Linux Workstation | =7.0 | |
debian/php5 | ||
debian/php7.0 | ||
debian/php7.3 | ||
PHP FastCGI Process Manager (FPM) |
1) Check your nginx configuration files, specially the ones related to php-fpm for presence of pattern bellow on fastcgi_split_path_info regex and PATH_INFO parameter: ~~~ fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; ~~~ 2) If fastcgi_split_path_info regex matches with the one above, for each fastcgi_param PATH_INFO entry perform the following change: ~~~ fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; ~~~ This step will allow you to safely continue using PATH_INFO parameter while the patch is not applied. 3) Restart your nginx instance: ~~~ systemctl restart nginx ~~~
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
(Found alongside the following vulnerabilities)
CVE-2019-11043 is a vulnerability in PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 that allows remote code execution.
CVE-2019-11043 has a severity rating of 8.1 out of 10, making it critical.
PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 are affected by CVE-2019-11043.
To fix CVE-2019-11043, you need to update PHP to version 7.1.33, 7.2.24, or 7.3.11.
You can find more information about CVE-2019-11043 at the following references: [https://www.php.net/ChangeLog-7.php#7.1.33](https://www.php.net/ChangeLog-7.php#7.1.33), [https://support.apple.com/en-us/HT210919](https://support.apple.com/en-us/HT210919), [https://www.cve.org/CVERecord?id=CVE-2019-11043](https://www.cve.org/CVERecord?id=CVE-2019-11043), [https://nvd.nist.gov/vuln/detail/CVE-2019-11043](https://nvd.nist.gov/vuln/detail/CVE-2019-11043), [https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/](https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/).