What is CVE-2019-11043?

CVE-2019-11043 is a vulnerability in PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 that allows remote code execution.

How severe is CVE-2019-11043?

CVE-2019-11043 has a severity rating of 8.1 out of 10, making it critical.

Which software versions are affected by CVE-2019-11043?

PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 are affected by CVE-2019-11043.

How can I fix CVE-2019-11043?

To fix CVE-2019-11043, you need to update PHP to version 7.1.33, 7.2.24, or 7.3.11.

Where can I find more information about CVE-2019-11043?

You can find more information about CVE-2019-11043 at the following references: [https://www.php.net/ChangeLog-7.php#7.1.33](https://www.php.net/ChangeLog-7.php#7.1.33), [https://support.apple.com/en-us/HT210919](https://support.apple.com/en-us/HT210919), [https://www.cve.org/CVERecord?id=CVE-2019-11043](https://www.cve.org/CVERecord?id=CVE-2019-11043), [https://nvd.nist.gov/vuln/detail/CVE-2019-11043](https://nvd.nist.gov/vuln/detail/CVE-2019-11043), [https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/](https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/).

Vulnerability/
CVE-2019-11043

Exploited

critical

9.8

CWE

787 120 20

22/10/2019

4/8/2024

CVE-2019-11043: PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

First published: Tue Oct 22 2019(Updated: )

apache_mod_php. Multiple issues were addressed by updating to PHP version 7.3.11.

Credit: security@php.net CVE-2019-11043 security@php.net security@php.net

Affected Software	Affected Version	How to fix
redhat/php	<0:5.3.3-50.el6_10	0:5.3.3-50.el6_10
redhat/php	<0:5.4.16-46.1.el7_7	0:5.4.16-46.1.el7_7
redhat/php	<0:5.4.16-46.1.el7_6	0:5.4.16-46.1.el7_6
redhat/rh-php70-php	<0:7.0.27-2.el6	0:7.0.27-2.el6
redhat/rh-php72-php	<0:7.2.24-1.el7	0:7.2.24-1.el7
redhat/rh-php71-php	<0:7.1.30-2.el7	0:7.1.30-2.el7
redhat/rh-php70-php	<0:7.0.27-2.el7	0:7.0.27-2.el7
PHP PHP	>=7.1.0<7.1.33
PHP PHP	>=7.2.0<7.2.24
PHP PHP	>=7.3.0<7.3.11
Canonical Ubuntu Linux	=12.04
Canonical Ubuntu Linux	=14.04
Canonical Ubuntu Linux	=16.04
Canonical Ubuntu Linux	=18.04
Canonical Ubuntu Linux	=19.04
Canonical Ubuntu Linux	=19.10
Debian Debian Linux	=9.0
Debian Debian Linux	=10.0
Apple macOS Catalina	<10.15.3	10.15.3
Apple Mojave
Apple High Sierra
PHP PHP	<7.1.33	7.1.33
redhat/php	<7.3.11	7.3.11
redhat/php	<7.2.24	7.2.24
redhat/php	<7.1.33	7.1.33
Fedoraproject Fedora	=29
Fedoraproject Fedora	=30
Fedoraproject Fedora	=31
Tenable Tenable.sc	<5.19.0
Redhat Software Collections	=1.0
Redhat Enterprise Linux	=8.0
Redhat Enterprise Linux Desktop	=6.0
Redhat Enterprise Linux Desktop	=7.0
Redhat Enterprise Linux Eus	=7.7
Redhat Enterprise Linux Eus	=8.1
Redhat Enterprise Linux Eus	=8.2
Redhat Enterprise Linux Eus	=8.4
Redhat Enterprise Linux Eus	=8.6
Redhat Enterprise Linux Eus	=8.8
Redhat Enterprise Linux Eus Compute Node	=7.7
Redhat Enterprise Linux For Arm 64	=8.0_aarch64
Redhat Enterprise Linux For Arm 64 Eus	=8.1_aarch64
Redhat Enterprise Linux For Arm 64 Eus	=8.2_aarch64
Redhat Enterprise Linux For Arm 64 Eus	=8.4_aarch64
Redhat Enterprise Linux For Arm 64 Eus	=8.6_aarch64
Redhat Enterprise Linux For Arm 64 Eus	=8.8_aarch64
Redhat Enterprise Linux For Ibm Z Systems	=6.0_s390x
Redhat Enterprise Linux For Ibm Z Systems	=7.0_s390x
Redhat Enterprise Linux For Ibm Z Systems	=8.0_s390x
Redhat Enterprise Linux For Ibm Z Systems Eus	=7.7_s390x
Redhat Enterprise Linux For Ibm Z Systems Eus	=8.1_s390x
Redhat Enterprise Linux For Ibm Z Systems Eus	=8.2_s390x
Redhat Enterprise Linux For Ibm Z Systems Eus	=8.4_s390x
Redhat Enterprise Linux For Ibm Z Systems Eus	=8.6_s390x
Redhat Enterprise Linux For Ibm Z Systems Eus	=8.8_s390x
Redhat Enterprise Linux For Power Big Endian	=6.0_ppc64
Redhat Enterprise Linux For Power Big Endian	=7.0_ppc64
Redhat Enterprise Linux For Power Big Endian Eus	=7.7_ppc64
Redhat Enterprise Linux For Power Little Endian	=7.0_ppc64le
Redhat Enterprise Linux For Power Little Endian	=8.0_ppc64le
Redhat Enterprise Linux For Power Little Endian Eus	=7.7_ppc64le
Redhat Enterprise Linux For Power Little Endian Eus	=8.1_ppc64le
Redhat Enterprise Linux For Power Little Endian Eus	=8.2_ppc64le
Redhat Enterprise Linux For Power Little Endian Eus	=8.4_ppc64le
Redhat Enterprise Linux For Power Little Endian Eus	=8.6_ppc64le
Redhat Enterprise Linux For Power Little Endian Eus	=8.8_ppc64le
Redhat Enterprise Linux For Scientific Computing	=7.0
Redhat Enterprise Linux Server	=6.0
Redhat Enterprise Linux Server	=7.0
Redhat Enterprise Linux Server Aus	=7.7
Redhat Enterprise Linux Server Aus	=8.2
Redhat Enterprise Linux Server Aus	=8.4
Redhat Enterprise Linux Server Aus	=8.6
Redhat Enterprise Linux Server Tus	=7.7
Redhat Enterprise Linux Server Tus	=8.2
Redhat Enterprise Linux Server Tus	=8.4
Redhat Enterprise Linux Server Tus	=8.6
Redhat Enterprise Linux Server Tus	=8.8
Redhat Enterprise Linux Workstation	=6.0
Redhat Enterprise Linux Workstation	=7.0
debian/php5
debian/php7.0
debian/php7.3
PHP FastCGI Process Manager (FPM)

Remedy

1) Check your nginx configuration files, specially the ones related to php-fpm for presence of pattern bellow on fastcgi_split_path_info regex and PATH_INFO parameter: ~~~ fastcgi_split_path_info ^(.+?\.php)(/.*)$; fastcgi_param PATH_INFO $fastcgi_path_info; ~~~ 2) If fastcgi_split_path_info regex matches with the one above, for each fastcgi_param PATH_INFO entry perform the following change: ~~~ fastcgi_param PATH_INFO $fastcgi_path_info if_not_empty; ~~~ This step will allow you to safely continue using PATH_INFO parameter while the patch is not applied. 3) Restart your nginx instance: ~~~ systemctl restart nginx ~~~

Remedy

https://bugs.php.net/bug.php?id=78599

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

(Appears in the following advisories)

Frequently Asked Questions

What is CVE-2019-11043?
CVE-2019-11043 is a vulnerability in PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 that allows remote code execution.
How severe is CVE-2019-11043?
CVE-2019-11043 has a severity rating of 8.1 out of 10, making it critical.
Which software versions are affected by CVE-2019-11043?
PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24, and 7.3.x below 7.3.11 are affected by CVE-2019-11043.
How can I fix CVE-2019-11043?
To fix CVE-2019-11043, you need to update PHP to version 7.1.33, 7.2.24, or 7.3.11.
Where can I find more information about CVE-2019-11043?
You can find more information about CVE-2019-11043 at the following references: [https://www.php.net/ChangeLog-7.php#7.1.33](https://www.php.net/ChangeLog-7.php#7.1.33), [https://support.apple.com/en-us/HT210919](https://support.apple.com/en-us/HT210919), [https://www.cve.org/CVERecord?id=CVE-2019-11043](https://www.cve.org/CVERecord?id=CVE-2019-11043), [https://nvd.nist.gov/vuln/detail/CVE-2019-11043](https://nvd.nist.gov/vuln/detail/CVE-2019-11043), [https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/](https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/).

collector/redhat-cve
collector/nvd-index
agent/type
collector/launchpad-cve
source/Launchpad
collector/apple-support
agent/software-canonical-lookup-request
collector/php-changelog
source/PHP
agent/software-canonical-lookup
agent/title
agent/weakness
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2019-11043
collector/nvd-api
source/NVD
agent/author
agent/remedy
collector/security-tracker-debian
source/Debian
collector/nvd-cve
agent/softwarecombine
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/severity
agent/first-publish-date
agent/event
exploited/true
ransomware/true
collector/cisa-known-exploited
source/CISA
agent/references
agent/tags
collector/usn-cve
source/Ubuntu
package-manager/redhat
vendor/php
canonical/php php
version/php php/7.1.0
version/php php/7.2.0
version/php php/7.3.0
vendor/canonical
canonical/canonical ubuntu linux
version/canonical ubuntu linux/12.04
version/canonical ubuntu linux/14.04
version/canonical ubuntu linux/16.04
version/canonical ubuntu linux/18.04
version/canonical ubuntu linux/19.04
version/canonical ubuntu linux/19.10
vendor/debian
canonical/debian debian linux
version/debian debian linux/9.0
version/debian debian linux/10.0
vendor/apple
canonical/apple macos catalina
canonical/apple mojave
canonical/apple high sierra
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/29
version/fedoraproject fedora/30
version/fedoraproject fedora/31
vendor/tenable
canonical/tenable tenable.sc
vendor/redhat
canonical/redhat software collections
version/redhat software collections/1.0
canonical/redhat enterprise linux
version/redhat enterprise linux/8.0
canonical/redhat enterprise linux desktop
version/redhat enterprise linux desktop/6.0
version/redhat enterprise linux desktop/7.0
canonical/redhat enterprise linux eus
version/redhat enterprise linux eus/7.7
version/redhat enterprise linux eus/8.1
version/redhat enterprise linux eus/8.2
version/redhat enterprise linux eus/8.4
version/redhat enterprise linux eus/8.6
version/redhat enterprise linux eus/8.8
canonical/redhat enterprise linux eus compute node
version/redhat enterprise linux eus compute node/7.7
canonical/redhat enterprise linux for arm 64
version/redhat enterprise linux for arm 64/8.0_aarch64
canonical/redhat enterprise linux for arm 64 eus
version/redhat enterprise linux for arm 64 eus/8.1_aarch64
version/redhat enterprise linux for arm 64 eus/8.2_aarch64
version/redhat enterprise linux for arm 64 eus/8.4_aarch64
version/redhat enterprise linux for arm 64 eus/8.6_aarch64
version/redhat enterprise linux for arm 64 eus/8.8_aarch64
canonical/redhat enterprise linux for ibm z systems
version/redhat enterprise linux for ibm z systems/6.0_s390x
version/redhat enterprise linux for ibm z systems/7.0_s390x
version/redhat enterprise linux for ibm z systems/8.0_s390x
canonical/redhat enterprise linux for ibm z systems eus
version/redhat enterprise linux for ibm z systems eus/7.7_s390x
version/redhat enterprise linux for ibm z systems eus/8.1_s390x
version/redhat enterprise linux for ibm z systems eus/8.2_s390x
version/redhat enterprise linux for ibm z systems eus/8.4_s390x
version/redhat enterprise linux for ibm z systems eus/8.6_s390x
version/redhat enterprise linux for ibm z systems eus/8.8_s390x
canonical/redhat enterprise linux for power big endian
version/redhat enterprise linux for power big endian/6.0_ppc64
version/redhat enterprise linux for power big endian/7.0_ppc64
canonical/redhat enterprise linux for power big endian eus
version/redhat enterprise linux for power big endian eus/7.7_ppc64
canonical/redhat enterprise linux for power little endian
version/redhat enterprise linux for power little endian/7.0_ppc64le
version/redhat enterprise linux for power little endian/8.0_ppc64le
canonical/redhat enterprise linux for power little endian eus
version/redhat enterprise linux for power little endian eus/7.7_ppc64le
version/redhat enterprise linux for power little endian eus/8.1_ppc64le
version/redhat enterprise linux for power little endian eus/8.2_ppc64le
version/redhat enterprise linux for power little endian eus/8.4_ppc64le
version/redhat enterprise linux for power little endian eus/8.6_ppc64le
version/redhat enterprise linux for power little endian eus/8.8_ppc64le
canonical/redhat enterprise linux for scientific computing
version/redhat enterprise linux for scientific computing/7.0
canonical/redhat enterprise linux server
version/redhat enterprise linux server/6.0
version/redhat enterprise linux server/7.0
canonical/redhat enterprise linux server aus
version/redhat enterprise linux server aus/7.7
version/redhat enterprise linux server aus/8.2
version/redhat enterprise linux server aus/8.4
version/redhat enterprise linux server aus/8.6
canonical/redhat enterprise linux server tus
version/redhat enterprise linux server tus/7.7
version/redhat enterprise linux server tus/8.2
version/redhat enterprise linux server tus/8.4
version/redhat enterprise linux server tus/8.6
version/redhat enterprise linux server tus/8.8
canonical/redhat enterprise linux workstation
version/redhat enterprise linux workstation/6.0
version/redhat enterprise linux workstation/7.0
package-manager/debian
canonical/php fastcgi process manager (fpm)

CVE-2019-11043: PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Parent vulnerabilities

Peer vulnerabilities

Frequently Asked Questions

What is CVE-2019-11043?

How severe is CVE-2019-11043?

Which software versions are affected by CVE-2019-11043?

How can I fix CVE-2019-11043?

Where can I find more information about CVE-2019-11043?

Company

Resources

Contact