FreePBX 15 Vulnerability

Hello,

I have tested the FreePBX web interface and it seems to be affected by a lot of security vulnerabilities due to the fact that it uses an end-of-life version of PHP.

A security specialist friend of mine advises me not to use this product because of these problems.

What to do? What do you think?

Well, first of all, you have to know how these scanner tools are working. Some of them just operate on the version string - which is quite misleading on LTS distros like RHEL and CentOS (CentOS is built from RHEL). LTS distros fix (security-) problems by backporting the fixes to existing old versions.

Example: apache 2.4.6 and CVE-2017-7679. This is fixed in RHSA-2017:2479. This errata shipped httpd-2.4.6-67.el7_4.2 - my actual installed version is httpd-2.4.6-97 - so this finding is definitely a false positive.

You can find all fixed CVEs in CentOS here and you can verify, if those versions are installed on your machine.

2 Likes

Not much of a specialist(or at least not a good one) if he doesn’t understand basics like this.

@dirk2358 is correct. I think you’ll find most, probably all, the CVEs are either fixed, or were false positives to begin with.

1 Like

PHP 7.x support is underway now for the next version of FreePBX.

3 Likes

Thank you !

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.