2024 - Updating PHP (Is PHP even needed?)

Support
, ,
1

(EDIT: Added installed software versions)

I did not find an existing article in the forums about this recent enough to be relevant.

I created two Debian 12 (Bookworm) virtual machines, and installed Nethserver 8 to each using the same methods. The only differences between the two are hostnames. Both are only running ldap, mail, and roundcube. Both are working great!

I install updates weekly through the Nethserver WebGUI. One month ago, I did security scans on both from Nessus. One registered a PHP vulnerability, and the other did not even detect PHP installed. I confirmed this with an nmap scan - server one showed vulnerable PHP, the other server did not show PHP installed at all.

Three weeks ago I checked for (and installed if available) updates from Nethserver’s WebGUI. Then logged in to each and did apt update & apt upgrade -y on both just in case there were additional updates that Nethserver was missing. Rebooted the servers and re-did the scan, and the same vulnerability came up on one, but not the other.

Then two weeks ago I thought maybe an additional server management solution would help, so I did the Nethserver updates, the command line updates, and then installed Webmin and checked that for updates (there were no additional updates). Rebooted the servers and re-did the scan, and still one server has the vuln and on does not.

Last week I was busy.

Today I’m reading my weekly vulnerability report and am at a loss as to how to fix this.

I really love Nethserver and have been using it for what feels like a decade (idk how long but the first version I used was a CentOS VM image downloaded from the nethserver website) and am hoping that I can fix this so I don’t have to use something else because honestly who would want to use something else when Nethserver exists? Once I get this squared away, I hope to add some additional features like jabber and groupware and maybe a pbx, and I don’t know of any other turnkey solutions that support all of that anyway.

Any help is greatly appreciated! :slight_smile:

Vuln info:

Critical PHP 8.1.x < 8.1.31 Multiple Vulnerabilities

URL : [REDACTED]:80/ (8.1.30 under X-Powered-By: PHP/8.1.30)
Installed version : 8.1.30
Fixed version : 8.1.31

nmap scan output:

Starting Nmap 7.80 ( https://nmap.org ) at 2024-12-17 10:44 EST
Nmap scan report for [REDACTED] (First server)
Host is up (0.0049s latency).

PORT STATE SERVICE VERSION
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-php-version: Version from header x-powered-by: PHP/8.1.30
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: [REDACTED] (Unknown)

Nmap scan report for [REDACTED] (Second server)
Host is up (0.0055s latency).

PORT STATE SERVICE VERSION
80/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
443/tcp open ssl/http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
MAC Address: [REDACTED] (Unknown)

Service detection performed. Please report any incorrect results at Nmap OS/Service Fingerprint and Correction Submission Page .
Nmap done: 2 IP addresses (2 hosts up) scanned in 13.22 seconds

Server info:

First Server

OS: Debian GNU/Linux 12 (bookworm) x86_64
Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-8.1)
Kernel: 6.1.0-28-amd64
Uptime: 8 mins
Packages: 591 (dpkg)
Shell: bash 5.2.15
Resolution: 1280x800
Terminal: /dev/pts/0
CPU: QEMU Virtual version 2.5+ (4) @ 2.999GHz
GPU: 00:02.0 Vendor 1234 Device 1111
Memory: 1494MiB / 3914MiB

Second Server:

OS: Debian GNU/Linux 12 (bookworm) x86_64
Host: KVM/QEMU (Standard PC (i440FX + PIIX, 1996) pc-i440fx-8.1)
Kernel: 6.1.0-28-amd64
Uptime: 10 mins
Packages: 610 (dpkg)
Shell: bash 5.2.15
Resolution: 1280x800
Terminal: /dev/pts/0
CPU: QEMU Virtual version 2.5+ (4) @ 2.999GHz
GPU: 00:02.0 Vendor 1234 Device 1111
Memory: 1528MiB / 3914MiB

Software versions for each:

core1 Node 1 3.3.1
ldapproxy1 Node 1 1.1.0
loki1 Node 1 1.2.2
openldap1 Node 1 2.2.6
traefik1 Node 1 2.2.5

_

1 Like
2

Hi,

welcome to NethServer Community.

Thanks for your feedback and the pointer to the PHP vulnerability.

It seems an upstream issue regarding the Roundcube docker image. In their current full version docker tag 1.6.9-apache they still use PHP 8.1.30, in latest-apache 8.1.31 is used already.
I assume they’ll release an update soon so the app can be upgraded in NS8 too.

I didn’t find any other PHP 8.1.30 occurrences in the apps your mentioned.
NS8 uses podman that provides rootless containers which makes it more secure.

NS8 uses traefik reverse proxy to redirect traffic to podman containers where the apps live. So to check the right app, the right name is needed. You can check/edit the hostnames of the apps in their NS8 app settings.

EDIT:

Workaround to upgrade manually (you also need to revert it later to get NS8 updates again)

Enter the roundcubemail environment: (assuming the app instance is named roundcubemail1)

runagent -m roundcubemail1

Edit the environment file and change following line

ROUNDCUBEMAIL_IMAGE=docker.io/roundcube/roundcubemail:1.6.9-apache

to

ROUNDCUBEMAIL_IMAGE=docker.io/roundcube/roundcubemail:latest-apache

Restart roundcube:

systemctl --user restart roundcubemail

After some time (image download) it should be running again.

Check PHP, should be 8.1.31:

podman exec roundcubemail-app php -v

Exit roundcubemail:

exit

This way you get a fixed Roundcube app.
I recommend to wait for the NS8 updates tough.

EDIT2:

You could also use Sogo or Webtop instead of Roundcube.

1 Like
3

Awesome! Thank you for the reply and all those options!

I’ll take a look later and see which one is gonna be best for me. I’m inclined to wait for the NS8 update, but, I might not wait because of the severity.

I’m still confused about why it only shows up on one and not the other, but that’s a mystery for another day.

I’m not really familiar with docker images in general, nor podman container management in Nethserver specifcally, so forgive me if this si a dumb question,

4

The only dumb questions are the ones not asked so feel free to ask.

It’s not like in NS7 that the hosts PHP is vulnerable. In this case just the PHP in the rootless roundcube container is affected.

I don’t know how nessus is testing but maybe the first server resolved to roundcube.server1.tld which is affected and the second server resolved to nextcloud.server2.tld which isn’t.

5

@mrmarkuz Thanks again for your help with this! I marked your first reply as the answer.

As for what I was saying is a dumb question lol it got cut off of my reply so I didn’t actually get to ask it. I was going to ask if I could use the command line to get into the container and just upgrade to 8.1.31 (or even 8.2) and had no idea how to do that.

I did some googling and experimenting and I was able to use your answer about podman AFTER i switched users (sudo su) to impersonate the roundcube1 username. I found a stack exchange answer on a Docker topic about how to get an interactive shell and then was able to not only query the PHP version, but also discover that the repositories are not what I expected (which makes sense based on your answer about selecting a different image)

So my next steps are to experiment a little bit on both servers to see if I can find out why the vuln is detected on one but not the other, and then probably also look into the different WebGUIs that you mentioned because I want to be able to really customize the interface. I think it would be a good learning experience for me but also it would be funny to have like my face on the homepage or something when my kids log in to their webmail lolol

Thanks again!!

1 Like