We are contacting you regarding a medium level PHP vulnerability (National Vulnerability Database (NVD) National Vulnerability Database (CVE-2013-6420)
) that impacts certain PHP versions:
* All versions of PHP 5.2.x.
* All versions of PHP 5.3 before 5.3.28.
* All versions of PHP 5.4 before 5.4.23.
* All versions of PHP 5.5 before 5.5.7.
This vulnerability may cause a PHP applications that uses the PHP openssl_x509_parse() function to parse a malicious x509 certificate which and trigger a memory corruption that might result in an arbitrary user level code execution. This means that if any of your cPanel user's PHP scripts connect outbound to third party sites via SSL (HTTPS) you most likely want to consider upgrading your PHP to the most current versions within EasyApache. The rare case that one of your trusted third party sites, of which your PHP scripts are programmed to connect to, is compromised and it starts providing a malicious x509 certificate, this would open up your server to this specific vulnerability.
cPanel, Inc. has released EasyApache 3.22.25 with PHP versions 5.3.28, 5.4.23, and 5.5.7. This release addresses CVE-2013-6420 by fixing bugs in the PHP OpenSSL module.
You can verify your PHP version and upgrade your server at your convenience by following the following steps:
1) Log into your server's WHM as the root user.
2) Go to Home > Software > EasyApache (Apache Update)
3) Click "Start customizing based on profile"
4) Keep your Apache version the same and click "Next Step".
5) Select 5.3.28, 5.4.23, or 5.5.7 as your PHP version and click "Next Step" (PHP 5.4.23 is considered most stable current by cPanel)
6) Scroll to the bottom of the Short Options List and click "Save and Build"
EasyApache will then build your server with the selected PHP version. This process takes ~30 to 40 minutes. WiredTree does not pro-actively upgrade Apache/LSWS, PHP or MySQL on your server due to compatibility issues without prior customer consent as we don't want to break important sites when changing versions on these services.
If you have LiteSpeed WebServer or an older PHP version please see the below sections.
LiteSpeed WebServer: If you have LiteSpeed WebServer it should auto rebuild your LSPHP to match your new version. You can manually rebuild LiteSpeed's PHP version by going to Home Plugins LiteSpeed Web Server Plugin and clicking on Build Matching LSPHP. If it says no action needed you do not have to do anything further. If it shows a mismatch on the PHP versions, hit the rebuild button and it will auto-build PHP for you.
PHP 5.2.x or older: If you have an older PHP version such as PHP 5.2.x, or PHP 4.x, you highly need to consider moving to PHP 5.3.x at a minimum. Any PHP versions below PHP 5.3.x are no longer being updated by the PHP developers and are considered at end of life. Due to the changes within PHP between PHP 4 / PHP 5 and PHP 5.2.x / PHP 5.3.x you need to make sure your site code and scripts are compatible with PHP 5.3.x+ before upgrading. Upgrading PHP without upgrading your legacy site code may cause issues.
If you have any issues with the upgrading your PHP on your server, have any questions or you wish for WiredTree to handle the upgrade for you, please open a new Grove support ticket and we would be happy to assist you!