laradock/php-fpm:2.2-7.2 CVE-2019-11043 Issue

[kylelee24]

Referencing: https://thehackernews.com/2019/10/nginx-php-fpm-hacking.html?m=1

According to the referenced article, there is a new vulnerability (CVE-2019-11043) which has been patched in PHP 7.2.24. At this time, laradock/php-fpm:2.2-7.2 is on PHP 7.2.21.

Would we be able to get a new Docker image with this updated? It appears that since the Dockerfile uses FROM php:7.2-fpm, all you need to do is re-run the build as php has already has pushed the patch.

$ docker run -it  php:7.2-fpm bash
Unable to find image 'php:7.2-fpm' locally
7.2-fpm: Pulling from library/php
8d691f585fa8: Pull complete
cba12d3fd8b1: Pull complete
cda54d6474c8: Pull complete
412447ed0729: Pull complete
1205d5ea3b9d: Pull complete
80a25696cb8a: Pull complete
62a7e0bf9b1b: Pull complete
e917be2fd0e7: Pull complete
e8ae1818d84f: Pull complete
e7c57f770d97: Pull complete
286407d851ec: Pull complete
Digest: sha256:8451ce66994c1cfbe5d823e6767cb425ac2d721ac31a33f9f808675578ee53a3
Status: Downloaded newer image for php:7.2-fpm
root@272b48382901:/var/www/html# php -v
PHP 7.2.24 (cli) (built: Oct 25 2019 04:29:43) ( NTS )
Copyright (c) 1997-2018 The PHP Group
Zend Engine v3.2.0, Copyright (c) 1998-2018 Zend Technologies

[jrbecart]

(I think) Laradock is not exploitable by default.
To be vulnerable you need a specific configuration in nginx, such as:

The full list of preconditions

• Nginx + php-fpm, location ~ [^/].php(/|$) must be forwarded to php-fpm (maybe the regexp can be stricter, see this).
• The fastcgi_split_path_info directive must be there and contain a regexp starting with ^ and ending with $, so we can break it with a newline character.
• There must be a PATH_INFO variable assignment via statement fastcgi_param PATH_INFO $fastcgi_path_info;. Also SCRIPT_FILENAME must be set using fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; (there might be a constant path instead of $document_root). At first, we thought these are always present in the fastcgi_params file, but it's not true.
• No file existence checks like try_files $uri =404 or if (-f $uri). If Nginx drops requests to non-existing scripts before FastCGI forwarding, our requests never reach php-fpm. Adding this is also the easiest way to patch.
• This exploit works only for PHP 7+, but the bug itself is present in earlier versions (see below).

So when looking at the nginx default.conf laradock is not vulnerable, BUT it will be a GOOD idea to update it.

[kylelee24]

Thanks @jrbecart. I agree with your assessment which is why I have left it unpatched at the moment (vs. creating my own base image). But as you said, it would be a good idea to update it anyway. And since from what I can tell, there isn't really any work except to re-run the build, I thought this issue would turnaround quickly.

[jrbecart]

Temporarily, if someone needs the updated image, you can find it here (forked from this repo). I set it up in docker hub to rebuild the images automatically if the base image is updated.

[bestlong]

now, auto build and push image to docker hub every week.

https://github.com/laradock/php-fpm/actions