FreePBX 15 Vulnerability

freepbx
Tags: #<Tag:0x00007f703141a570>

(Wifx) #1

Hello,

I have tested the FreePBX web interface and it seems to be affected by a lot of security vulnerabilities due to the fact that it uses an end-of-life version of PHP.

image

A security specialist friend of mine advises me not to use this product because of these problems.

What to do? What do you think?


(Dirk2358) #2

Well, first of all, you have to know how these scanner tools are working. Some of them just operate on the version string - which is quite misleading on LTS distros like RHEL and CentOS (CentOS is built from RHEL). LTS distros fix (security-) problems by backporting the fixes to existing old versions.

Example: apache 2.4.6 and CVE-2017-7679. This is fixed in RHSA-2017:2479. This errata shipped httpd-2.4.6-67.el7_4.2 - my actual installed version is httpd-2.4.6-97 - so this finding is definitely a false positive.

You can find all fixed CVEs in CentOS here and you can verify, if those versions are installed on your machine.


#3

Not much of a specialist(or at least not a good one) if he doesn’t understand basics like this.

@dirk2358 is correct. I think you’ll find most, probably all, the CVEs are either fixed, or were false positives to begin with.


(Lorne Gaetz) #4

PHP 7.x support is underway now for the next version of FreePBX.


(Wifx) #5

Thank you !