Hello,
The following knowledge base article exists for this report:
documentation.cpanel.net
We'll update this article with more information as it becomes available.
Thank you.
The following knowledge base article exists for this report:
CVE-2019-15846 Exim - cPanel Knowledge Base - cPanel Documentation
We'll update this article with more information as it becomes available.
Thank you.
Hi cPanel,
CVE-2019-15846
What is the workaround patch for this vulnerability and when can we expect a patched Exim release via the upgrade channels?
I believe the release date is today.
CVE-2019-15846
What is the workaround patch for this vulnerability and when can we expect a patched Exim release via the upgrade channels?
I believe the release date is today.
Last edited:
Surely cPanel are given access to embargoed security releases? The CRD has now passed and we see no updated Exim packages from cPanel.Hello,
The following knowledge base article exists for this report:
CVE-2019-15846 Exim - cPanel Knowledge Base - cPanel Documentation
We'll update this article with more information as it becomes available.
Thank you.
From a terminal window, if I run the following
The results would indicate that I'm already running 4.92 #2, and have been since March this year.
"Exim version 4.92 #2 built 17-Mar-2019 12:58:50"
Although WHM service status does say 4.92-1 ???
and
Code:
exim --version |head -1"Exim version 4.92 #2 built 17-Mar-2019 12:58:50"
Although WHM service status does say 4.92-1 ???
and
Code:
[email protected] [~]# whmapi1 installed_versions packages=1|grep exim
exim: 4.92-1
- exim-4.92-1.cp1180.x86_64
Last edited:
Release tarballs for (exim-4.92.2) have been publicly released Index of /pub/exim/exim4/
Lets see how quick the cPanel Exim packages take. For critical issues such as this where the exploit code is already there, I hope its within the next 30min, or 9.00am in Texas
Lets see how quick the cPanel Exim packages take. For critical issues such as this where the exploit code is already there, I hope its within the next 30min, or 9.00am in Texas
You're confusing cpanel's own -1 or -2 revision with the exim minor point release of .1 or .2
Hello Everyone,
As of Friday, September 6, 2019, Exim has published a fix for CVE-2019-15846 and cPanel & WHM version 82.0.14 was published with a version of Exim that includes the fix.
We'll continue to provide updates on this report at the link below:
documentation.cpanel.net
Let me know of any questions.
Thanks!
Edit 1: cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
As of Friday, September 6, 2019, Exim has published a fix for CVE-2019-15846 and cPanel & WHM version 82.0.14 was published with a version of Exim that includes the fix.
We'll continue to provide updates on this report at the link below:
CVE-2019-15846 Exim - cPanel Knowledge Base - cPanel Documentation
Let me know of any questions.
Thanks!
Edit 1: cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
Last edited:
@andyf, Tentatively looking at early next week for the rollout of this patch to the additional supported release tiers. In the meantime, you could use WHM >> Update Preferences to switch over to the CURRENT release tier:
documentation.cpanel.net
You can find additional discussion of this topic on our Slack channel:
go.cpanel.net
Thank you.
Edit 1: cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
Update Preferences - Version 82 Documentation - cPanel Documentation
You can find additional discussion of this topic on our Slack channel:
Slack
go.cpanel.net
Thank you.
Edit 1: cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
Last edited:
Hello Everyone,
To update, cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
Thank you.
To update, cPanel & WHM version 82.0.14 is now also published to the RELEASE and STABLE release tiers. Additionally, a new LTS version (78.0.38) is now published to the LTS tier with a fix for this issue.
Thank you.
Hello everyone.
I've got couple servers with CloudLinux release 7.6 with version 11.70.0.69 and version of exim - exim-4.91-4.cp1170.x86_64
There is a posibility to upgrade exim to version 4.92.2 without upgrade version of cpanel and server to avoid vulnerability of exim in CVE-2019-15846 ?
I tried to update via yum update exim but i didn't work.
Anyone got this problem ? And how can I solve this problem?
I've got couple servers with CloudLinux release 7.6 with version 11.70.0.69 and version of exim - exim-4.91-4.cp1170.x86_64
There is a posibility to upgrade exim to version 4.92.2 without upgrade version of cpanel and server to avoid vulnerability of exim in CVE-2019-15846 ?
I tried to update via yum update exim but i didn't work.
Anyone got this problem ? And how can I solve this problem?
I don't think that's possible, the LTS patch only goes back to version 78.
You should update those servers to the latest cPanel version. Why do you keep them outdated?
You should update those servers to the latest cPanel version. Why do you keep them outdated?
All versions of cPanel & WHM below the stated versions under the Releases section on the KB article are not patched for CVE-2019-15846.
cPanel & WHM version 70 is at end-of-life status so you should upgrade to a supported version as soon as possible to ensure your server is patched for this vulnerability:
cPanel & WHM Version 70 now EOL | cPanel Newsroom
cPanel & WHM Version 70 has reached End of Life and will no longer be supported by cPanel except when upgrading to a supported version. In accordance with our EOL policy (https://go.cpanel.net/longtermsupport), Version 70 will continue to function on servers where it is already installed. The...
news.cpanel.com
Thank you.
I've got old version of WHMCS which is quite incompatible with 78 and 80 version of Cpanel. Second reason - costs - unfortunately employer is reluctant to upgrade, which is annoying. and these servers are badly neglected - so I try to do what I can.
Last edited:
Hello @parsley93,
I recommend reaching out to WHMCS Support to evaluate upgrade options if that's what's preventing you from upgrading cPanel & WHM to a supported version.
Thank you.
I recommend reaching out to WHMCS Support to evaluate upgrade options if that's what's preventing you from upgrading cPanel & WHM to a supported version.
Thank you.
I feel your pain.
from http://exim.org/static/doc/security/CVE-2019-15846.txt :
*****
Mitigation
==========
Do not offer TLS. (This mitigation is not recommended.)
For a attacking TLS client the following ACL snippet should work:
# to be prepended to your mail acl (the ACL referenced
# by the acl_smtp_mail main config option)
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
deny condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
*****
So it appears you can mitigate by not offering TLS on exim [easy to do via WHM] and or by adding the two ACL snippet deny commands listed above - it looks like its possible in WHM but not entirely sure or which section to do it in.
Last edited:
Hello @oldie,
While I understand the manual mitigation step is referenced by Exim on the link you provided, it's important to understand this workaround is not tested or supported by cPanel & WHM. Editing a server's Exim configuration with those changes could potentially lead to email deliverability issues. Furthermore, the referenced workaround is not confirmed to mitigate the reported vulnerability.
The safest approach here is to upgrade cPanel & WHM to a supported version, or work with us to help troubleshoot any technical issues that are preventing you from upgrading to a supported cPanel & WHM version.
Thank you.
Unfortunately working with legacy app with legacy php so unless cPanel get generous and backport exim port for WHM 76 then have to look for other options/workarounds.