Heute hat Parallels über eine kritische Sicherheitslücke in Plesk informiert. Es soll eine SQL-Injection möglich sein, über Details schweigt Parallels bislang. Allerdings wird allen Nutzern empfohlen, so schnell wie möglich zu aktualisieren.

Hier der Originaltext:

Plesk – Critical Security Vulnerability – Patch REQUIRED

Dear Parallels Plesk Panel User:

Please read this message in its entirety and take the recommended actions.

Parallels has been informed of a SQL injection security vulnerability in some older versions of Plesk. This vulnerability is considered critical in nature and customers are advised take action quickly.

A patch has been released to resolve this vulnerability. Based on the version and operating system of Plesk you use, please follow the instructions below.

Linux

Plesk 10 – Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
If possible, it is recommended to update all the way to Plesk 10.4.4 to provide the most stable user experience.

Plesk 9 – Update to Plesk 9.5.4 MicroUpdate #11 or later
Update Instructions: here

Plesk 8 – Update to Plesk 8.6.0 MicroUpdate #2 or later
Update Instructions: here

Windows

Plesk 10 – Update to Plesk 10.3.1 MicroUpdate #6 or later.
Update Instructions: here
If possible, it is recommended to update all the way to Plesk 10.4.4 to provide the most stable user experience.

Plesk 9 – Apply Fix from Parallels Knowledge Base
Update Instructions: here

Plesk 8 – Apply Fix from Parallels Knowledge Base
Update Instructions: here

If you are already at or above the Version and MicroUpdate levels indicated above – you are already protected from this vulnerability.

Parallels takes the security of our customers very seriously and urges you to act quickly by applying these patches.

Thanks,

– The Parallels Plesk Panel Team

Die notwendigen Microupdates lassen sich am einfachsten mit folgendem Befehl in der Commandline installieren:

# /opt/psa/admin/sbin/autoinstaller –select-product-id plesk –select-release-current –reinstall-patch –install-component base

Unsere Managed Server sind nicht betroffen (gewesen), da wir seit Dezember überall Version 10.3.1 MU >=16 als bevorzugtes Release einsetzen.

Dass Plesk 10.4.4 stabiler sein soll als 10.3.1 können wir unterdessen nicht bestätigen. 😈