Mitigation of CVE-2016-10045
Incident Report for amazee.io
Resolved
PHPMailer verison 5.2.21 is released which solves CVE-2016-10045. Affected Customers have been informed directly. - https://github.com/PHPMailer/PHPMailer/releases
Posted 4 months ago. Dec 29, 2016 - 11:18 UTC
Investigating
This is a follow up of our mitigation action from DRUPAL-SA-PSA-2016-004 (https://status.amazee.io/incidents/y83q2t8mm7v1)

It looks like the first patch of the vulnerability CVE-2016-10033 was incomplete. We're investigation actions and waiting for the patch to become available upstream.
Please note that the patch is not available yet. We'll update this issue as soon as the patch is available.
More information can be found here: https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html

As amazee.io cannot mitigate this issue from an infrastructure level, we informed all our clients which have PHPmailer 5.2.19 or earlier installed to update their codebase and with that fix their issue.
If you did not receive such an information, our scripts did not find your website affected and there is probably nothing to do as of right now (even though amazee.io strongly suggests to keep all websites up to date at any time).
Posted 4 months ago. Dec 28, 2016 - 08:52 UTC