Addressing the PHP-FPM Vulnerability (CVE-2019-11043)
Incident Report for amazee.io
Resolved
This incident has been resolved.
Posted Nov 01, 2019 - 08:28 CET
Identified
Earlier this week CVE-2019-11043 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11043) was disclosed.

The default amazee.io configurations on legacy and lagoon are not vulnerable. If you run a custom configuration on lagoon best check the list of preconditions (https://github.com/neex/phuip-fpizdam#the-full-list-of-preconditions) if your custom configuration might be vulnerable.

We are already in touch with customers that host on our legacy infrastructure and are affected by this CVE. Our team will reach out to the customers and coordinate the rollout of the fixed configurations.

Further information on the mitigation can be found on the Nginx website - https://www.nginx.com/blog/php-fpm-cve-2019-11043-vulnerability-nginx/

If you have any questions regarding the Vulnerability, feel free to reach out to us.
Posted Oct 31, 2019 - 15:15 CET