Phusion Blog

Security advisory: Phusion Passenger and the CVE-2014-6271 Bash vulnerability

On 24 September 2014, an important security vulnerability for Bash was published. This vulnerability, dubbed “Shellshock” and with identifiers CVE-2014-6271 and CVE-2014-7169, allows remote code execution.

This vulnerability is not caused by Phusion Passenger, but does affect Phusion Passenger. We strongly advise users to upgrade their systems as soon as possible. Please note that while CVE-2014-6271 has been patched, CVE-2014-7169 isn’t. A fix is still pending.

Update: CVE-2014-7169 has been patched in Debian 7. Other operating system vendors may follow soon.

For details about how Phusion Passenger is related to this vulnerability, please refer to https://news.ycombinator.com/item?id=8369776.

Please refer to your operating system vendor’s upgrade instructions, for example:

Ubuntu Linux: http://www.ubuntu.com/usn/usn-2362-1/
Debian Linux: https://www.debian.org/security/2014/dsa-3032
RedHat Linux: https://access.redhat.com/articles/1200223
Amazon Linux: https://alas.aws.amazon.com/ALAS-2014-418.html

Phusion Passenger 4.0.41 released, OpenSSL Heartbleed security update

Phusion Passenger is a fast and robust web server and application server for Ruby, Python, Node.js and Meteor. Passenger takes a lot of complexity out of deploying web apps, and adds powerful enterprise-grade features that are useful in production. High-profile companies such as Apple, New York Times, AirBnB, Juniper, American Express, etc are already using it, as well as over 350.000 websites.

Phusion Passenger 4.0.41 has been released ahead of time in order to address the OpenSSL heartbleed security issue (CVE-2014-0160). This is an extremely serious vulnerability in OpenSSL which can completely negate the security that it provides. Users are advised to upgrade as soon as possible.

Phusion Passenger’s relationship with the OpenSSL heartbleed vulnerability is as follows.

We provide precompiled binaries for Passenger Standalone. These binaries are statically linked to OpenSSL in order to make them useable on a wide range of operating systems. With 4.0.41, the binaries have been upgraded to link against OpenSSL 1.0.1g, which fixes the heartbleed vulnerability.

You are vulnerable if:

You are using Passenger Standalone, with SSL enabled inside Passenger Standalone (that is, passenger start --ssl).

You are not vulnerable (to the Passenger Standalone static linking issue) if:

You are not using Passenger Standalone (e.g. if you’re using Phusion Passenger through the Apache or Nginx integration mode).
You are using Passenger Standalone, but without SSL.
Your Passenger Standalone is behind another SSL-enabled reverse proxy.

Update: Please note that the only thing this Phusion Passenger update fixes, is any potential vulnerabilities in the Passenger Standalone binaries that we provide. Your system as a whole may still be vulnerable because you’re running a vulnerable OpenSSL version. Please check with your vendor for system updates.

There aren’t many other changes in this release:

Fixed some issues with printing UTF-8 log files on Heroku.
Added a new flag --ignore-app-not-running to passenger-config restart-app.
When this flag is given, passenger-config restart-app will exit successfully
when the specified application is not running, instead of exiting with
an error.

Installing or upgrading to 4.0.41

OS X	Debian	Ubuntu
Heroku	Ruby gem	Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. 🙂

Phusion Passenger 4.0.40 released, Nginx 1.4.7 with buffer overflow fix

Phusion Passenger 4.0.40 has been released. The only change in this version is that the preferred Nginx version has been bumped to 1.4.7, because of a buffer overflow exploit in Nginx (CVE-2014-0133). Nginx users are strongly encouraged to upgrade.

Phusion Passenger 4.0.38 released

Phusion Passenger is under constant maintenance and development. Version 4.0.38 is a bugfix release.

Phusion Passenger also has an Enterprise version which comes with a wide array of additional features. By buying Phusion Passenger Enterprise you will directly sponsor the development of the open source version.

Recent changes

Fixed a symlink-related security vulnerability.
Urgency: low
Scope: local exploit
Summary: writing files to arbitrary directory by hijacking temp directories
Affected versions: 4.0.37
Fixed versions: 4.0.38
CVE-2014-1832

Description: This issue is related to CVE-2014-1831 (the security issue as mentioned in the 4.0.37 release notes). The previous fix was incomplete, and still has a (albeit smaller) small attack time window in between two filesystem checks. This attack window is now gone.
Added support for the new Ruby 2.1.0 out-of-band garbage collector. This can much improve garbage collection performance, and drastically reduce request times.
Passenger Standalone is now compatible with IPv6.
Fixed some compilation problems on Solaris. See issue #1047.
passenger-install-apache2-module and passenger-install-nginx-module now automatically run in `–auto` mode if stdin is not a TTY. Fixes issue #1030.
Fixed an issue with non-bundled Meteor apps not correctly running in production mode.
The `PassengerPreStart` option is now compatible with IPv6 server sockets.
When running Python WSGI apps, `wsgi.run_once` is now set to False. This should improve the performance of certain apps and frameworks.
When handling HTTP requests with chunked transfer encoding, the ‘Transfer-Encoding’ header is no longer passed to the application. This is because the web server already buffers and dechunks the request body.
Fixed a possible hang in Phusion Passenger for Nginx when Nginx is instructed to reload or reopen log files. Thanks to Feng Gu, pull request #97.
The preferred Nginx version has been upgraded to 1.4.6.
Fixed a problem with running passenger-install-apache2-module and passenger-install-nginx-module on JRuby. They were not able to accept any terminal input after displaying the programming language menu.

Installing or upgrading to 4.0.38

OS X	Debian	Ubuntu
Heroku	Ruby gem	Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. 🙂

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.

Phusion Passenger 4.0.25 released, upgrades to Nginx 1.4.4 which fixes CVE-2013-4547

Phusion Passenger is under constant maintenance and development. Version 4.0.25 is a bugfix release.

Recent changes

[Nginx] Upgraded preferred Nginx version to 1.4.4 because of CVE-2013-4547. Nginx users are advised to upgrade immediately.
[Nginx] Introduced the `passenger_restart_dir` option.
The `PassengerEnv`/`passenger_env`/`–environment` option now also sets NODE_ENV, so that Node.js frameworks like Connect can properly respond to the environment.
Fixed a bug in our Debian/Ubuntu packages causing `passenger-install-nginx-module` not to be able to compile Nginx.
Arbitrary Node.js application structures are now supported.

Installing or upgrading to 4.0.25

OS X	Debian	Ubuntu
Heroku	Ruby gem	Tarball

Final

Phusion Passenger’s core is open source. Please fork or watch us on Github. 🙂

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.

Phusion Passenger 4.0.5 released

Phusion Passenger is software that deploys Ruby and Python web apps, by integrating into Apache and Nginx and turning them into a fully-featured application server. It is very fast, stable and robust and thus used by the likes of New York Times, AirBnB, Symantec, Pixar, etc. It comes with many features that make your life easier and your application perform better.

Phusion Passenger is under constant maintenance and development. Version 4.0.5 is a bugfix release.

Recent changes

[Standalone] Fixed a regression that prevented Passenger Standalone
from starting. Fixes issue #899.
Fixed security vulnerability CVE-2013-2119.
Urgency: low
Scope: local exploit
Summary: denial of service and arbitrary code execution by hijacking temp files
Affected versions: all versions
Fixed versions: 3.0.21 and 4.0.5

Description:
Phusion Passenger’s code did not always create temporary files and directories in a secure manner. Temporary files and directories were sometimes created with a predictable filename. A local attacker can pre-create temporary files, resulting in a denial of service. In addition, this vulnerability allows a local attacker to run arbitrary code as another user, by hijacking temporary files.

By pre-creating certain temporary files with certain permissions, attackers can prevent Passenger Standalone from starting (denial of service).

By pre-creating certain temporary files with certain other permissions, attackers can trick passenger start and the build system (which is invoked by passenger-install-apache2-module/passenger-install-nginx-module) to run arbitrary code. The user that the code is run as, is equal to the user that ran passenger start or the build system. Attacks of this nature have to be timed exactly right. The attacker must overwrite the file contents right after Phusion Passenger has created the file contents, but right before the file is used. In the context of passenger start, the vulnerable window begins right after Passenger Standalone has created the Nginx config file, and ends when Nginx has read the config file. Once Nginx has started and initialized, the system is no longer vulnerable. passenger stop and other Passenger Standalone commands besides start are not vulnerable. In the context of the build system, the vulnerable window begins when passenger-install-apache2-module/passenger-install-nginx-module prints its first dependency checking message, and ends when it prints the first compiler command.

Only the passenger start command, the passenger-install-apache2-module command and the passenger-install-nginx-module commands are vulnerable. Phusion Passenger for Apache and Phusion Passenger for Nginx (once they are installed) are not vulnerable.

Fixed versions:
3.0.21 and 4.0.5 have been released to address this issue.

Workaround:
You can use this workaround if you are unable to upgrade. Before invoking any Phusion Passenger command, set the TMPDIR environment variable to a directory that is not world-writable. Special care must be taken when you use sudo: sudo resets all environment variables, so you should either invoke sudo with -E, or you must set the environment variable after gaining root privileges with sudo.

Credits:
Thanks to Kurt Seifried and Michael Scherer from Red Hat for reporting this issue.

Installing 4.0.5

Quick install/upgrade

Phusion Passenger Enterprise users can download the Enterprise version of 4.0.5 from the Customer Area.

Open source users can install the open source version of 4.0.5 with the following commands:

gem install passenger
passenger-install-apache2-module
passenger-install-nginx-module

You can also download the tarball at Google Code. We strongly encourage you to cryptographically verify files after downloading them.

In-depth instructions

In-depth installation and upgrade instructions can be found in the Installation section of the documentation. The documentation covers:

Detailed tarball installation instructions.
Detailed upgrade instructions.
Installation troubleshooting.
Installation through APT and YUM.

You can view the documentation online here:

Final

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.

Phusion Passenger 3.0.21 released

Phusion Passenger 3.0.21 is a bug fix release which backports some fixes from the 4.0 series. It is the last release in the 3.0 series and is meant for people who are not yet able to upgrade to the 4.0 series at this time.

Changes in this version

Rebootstrapped the libev configure to fix compilation problems on Solaris 11.
Fixed support for RVM mixed mode installations. Fixes issue #828.
Fixed encoding problems in Phusion Passenger Standalone.
Changed preferred Nginx version to 1.2.9.
Catch exceptions raised by Rack application objects.
Fix for CVE-2013-2119. Details can be found in the announcement for version 4.0.5.
Version 3.0.20 was pulled because its fixes were incomplete.

Installing 3.0.21

Quick install/upgrade

Phusion Passenger Enterprise users can download the Enterprise version of 3.0.21 from the Customer Area.

Open source users can install the open source version of 3.0.21 with the following commands:

gem install passenger --version 3.0.21
passenger-install-apache2-module
passenger-install-nginx-module

You can also download the tarball at RubyForge. We strongly encourage you to cryptographically verify files after downloading them.

In-depth instructions

In-depth installation and upgrade instructions can be found in the Installation section of the documentation. The documentation covers:

Detailed tarball installation instructions.
Detailed upgrade instructions.
Installation troubleshooting.
Installation through APT and YUM.

You can view the documentation online here:

Final

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.

Phusion Passenger 4.0.2 released

Phusion Passenger is software that deploys Ruby and Python web apps, by integrating into Apache and Nginx and turning them into a fully-featured application server. It is very fast, stable and robust and thus used by the likes of New York Times, AirBnB, Symantec, Pixar, etc. It comes with many features that makes your life easier and your application perform better.

We are releasing an emergency release in response to a recently discovered remote code execution vulnerability in Nginx (CVE-2013-2028). Many versions of Nginx 1.3, as well as Nginx 1.4.0, are affected. Phusion Passenger 4.0.2 installs Nginx 1.4.1 by default. There are no other code changes.

Installing 4.0.2

Quick install/upgrade

Phusion Passenger Enterprise users can download the Enterprise version of 4.0.2 from the Customer Area.

Open source users can install the open source version of 4.0.2 with the following commands:

gem install passenger
passenger-install-apache2-module
passenger-install-nginx-module

You can also download the tarball at Google Code. We strongly encourage you to cryptographically verify files after downloading them.

In-depth instructions

In-depth installation and upgrade instructions can be found in the Installation section of the documentation. The documentation has been updated to cover 4.0 changes, including Enterprise features. You can view them online here:

Final

If you would like to stay up to date with Phusion news, please fill in your name and email address below and sign up for our newsletter. We won’t spam you, we promise.

Phusion server security report

Executive summary: our web host Linode has been compromised and the
responsible hacker group appears to claim to have had access to one of
the Phusion servers, which prompted us to start a full investigation.
Until now, no evidence of third party access has been found, and no
tampering of the Phusion Passenger Enterprise files have been found.
In spite of this, we are taking precautionary action and we urge
customers to verify their Phusion Passenger Enterprise installations
through the instructions at the bottom of this message.

Dear users and customers,

About 3 weeks ago, our web host Linode issued several public statements[1][2]
claiming that one of their customers was the subject of an attack by a group
called HTP. From what we’ve been able to read from HTP[3] a few hours ago, we
believe that SwiftIRC and/or nmap was the target Linode was referring to.

In Linode’s initial statement[1], they also mentioned that law officials were
aware of the attack and that Linode had found no evidence of other customer
data being compromised. We too hadn’t noticed any suspicious activity on our
servers and weren’t notified by Linode about being the attacked target which
led us to believe that this initial statement held true.

A few hours ago however, a statement released by HTP was brought to our
attention wherein they claimed otherwise[3]. In particular, the statement
appears to claim that HTP has had root access to one of the Phusion servers and
this immediately prompted us to start a new investigation of our own. Up to this
point, we have found no evidence that they have had access to our data, but we
are checking our systems several times over to minimize the possibility of
having missed a potential attack vector on the first few passes. We have also
contacted Linode to get a clarification on their first statement[1] in light of
new events that seem to point to nmap’s server to have indeed been compromised.
Pending this response, we didn’t want to take any risks in waiting to notify
our customers of the current situation.

The absence of evidence after all doesn’t necessarily mean that the server has
not been accessed: even though we feel we have taken all the necessary steps to
ensure maximum security on our servers, we remain scrutinous of our systems’
integrity at all times. There are after all a myriad of components that comprise
a server, and each of them could be a potential attack vector as long as fault
free software is something developers in general can only hope to aspire to.
More specifically, as long as erring is human, we can only hope to minimize
these chances rather than believing we can prevent them completely 100% of the
time. Zero day exploits can always occur at any time and the best thing we can
do is to be as transparent about this to our customers as we can. To that end,
we’d like to notify our customers that we are moving our services to another
web host and will be reinstalling our servers as a precaution.

If HTP has indeed compromised our systems without us being able to tell, then we
would be interested in learning how and would encourage them to contact us
(info@phusion.nl). We value security and transparency over pride and are
extremely committed towards serving our customers. It is also the reason why we
are informing our customers about this in an open manner several hours after
seeing HTP’s claim despite not being able to verify this claim to be accurate
ourselves.

We would also like to take this opportunity to encourage all Phusion Passenger
users – that is, open source users and Enterprise customers alike – to make use of
the PGP digital signatures that we employed since February this year.[4] Checking
the signature of your Phusion Passenger download against the corresponding key
helps minimize the chances of the downloaded software being tampered with.
We have already manually reviewed the Phusion Passenger Enterprise source code
and have found no evidence of suspicious activity. For your own safety however,
we would always recommend you to take proper caution when downloading and
installing software from the internet. The PGP digital signatures are provided
to aid in that aspect and we would highly recommend you to use this at all times.

Having said this, if our servers actually were accessed, then it’s possible that
the attackers temporarily inserted compromised gems and tarballs and removed
them later. We therefore urge our Enterprise customers to verify the integrity
of their Phusion Passenger Enterprise installations. Instructions can be found
at the end of this message.

In any case, Phusion has not, does not and will not store customer creditcard
information on any of its servers. All credit card information is stored on
servers of third party, PCI-DSS compliant payment gateways, e.g. FastSpring
and Paypal. Phusion also does not store customer passwords in plain text; all
customer passwords are stored in BCrypt format.

The open source version of Phusion Passenger is hosted on another server, namely
GitHub, and we have also found no suspicious activity in its repository.

We understand that after reading all this, you might have concerns with regards
to your own server’s integrity. Even though we have found no evidence of
suspicious activity on our own servers or in Phusion Passenger’s code base, we
feel that we should still encourage you to remain scrutinous of your own
servers’ integrity and take the steps you deem necessary in maximizing its
security.

Needless to say, we remain committed in being transparent towards our customers
and will continue in keeping them up to date of any of our findings concerning
this matter. If you have any questions, please feel encouraged to contact
support@phusion.nl.

With warm regards,
Hongli Lai
Ninh Bui

References:

Instructions for verifying Phusion Passenger Enterprise installations

We have generated SHA-1 hashes of all Phusion Passenger Enterprise files
inside the gems and tarballs. You can use these hashes to verify your installed
Phusion Passenger files. If anything is amiss or if you require further
assistance, please contact support@phusion.nl.

Install GnuPG. Debian users can apt-get install gnupg, OS X users can use GPG Tools: https://gpgtools.org/
Login to the Customer Area: https://www.phusionpassenger.com/orders
Scroll down to the “Files” section.
Download the “sha1sums.txt” and “sha1sums.txt.asc” files that pertain to the
version of Phusion Passenger Enterprise that you’re currently running.
Ensure that both files are in the same directory.
Import the Phusion Software Signing PGP key: http://www.modrails.com/documentation/Users%20guide%20Apache.html#_importing_the_phusion_software_signing_key
Name: Phusion Software Signing (software-signing@phusion.nl)
Short key ID: 0x0A212A8C
Long key ID: 0x2AC745A50A212A8C
Fingerprint: D5F0 8514 2693 9232 F437 AB72 2AC7 45A5 0A21 2A8C
Set this key to trusted:
gpg –edit-key software-signing@phusion.nl
Then in the GPG prompt, type: trust
Choose: 5 = I trust ultimately
In the GPG prompt, type: save
Verify the downloaded sha1sums.txt against its signature:
gpg –verify sha1sums.txt.asc
You should see:
Good signature from “Phusion Software Signing software-signing@phusion.nl“
Copy sha1sums.txt to your server.
On your server, find out where the Phusion Passenger files are by running: passenger-config –root
Run: cd
Run: sha1sum -c /path-to/sha1sums.txt –quiet

Phusion Passenger 4.0 beta 1 and 2: arbitrary file deletion vulnerability

The Phusion Passenger 4.0 betas contain a vulnerability which allows arbitrary files to be deleted on the system. The vulnerability is local and cannot be exploited remotely. The vulnerability can only be triggered during application startup (e.g. during evaluation of config.ru). Environments that are at risk include, but may not be limited to:

Environments that host arbitrary untrusted applications, e.g. shared hosting environments.
Applications which contain vulnerabilities that allow their own code to be modified.
Environments in which untrusted non-root users can modify application code.

Affected users are advised to upgrade to 4.0.0 RC 4.

Affected versions

Phusion Passenger open source 4.0.0 beta 1
Phusion Passenger open source 4.0.0 beta 2
Phusion Passenger Enterprise 4.0.0 beta 1
Phusion Passenger Enterprise 4.0.0 beta 2

Unaffected versions

Phusion Passenger open source 3.x and earlier
Phusion Passenger open source 4.0.0 RC 1 and later
Phusion Passenger Enterprise 3.x and earlier
Phusion Passenger Enterprise 4.0.0 RC 1 and later

Installing or upgrading to 4.0.41

Final

Recent changes

Installing or upgrading to 4.0.38

Final

Recent changes

Installing or upgrading to 4.0.25

Final

Recent changes

Installing 4.0.5

Quick install/upgrade

In-depth instructions

Final

Changes in this version

Installing 3.0.21

Quick install/upgrade

In-depth instructions

Final

Installing 4.0.2

Quick install/upgrade

In-depth instructions

Final

Instructions for verifying Phusion Passenger Enterprise installations

Affected versions

Unaffected versions

Featured articles