CVE-2019-11043

Summary

CVE	CVE-2019-11043
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2019-10-28 15:15:00 UTC
Updated	2023-11-07 03:02:00 UTC
Description	In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.

Risk And Classification

EPSS: 0.940620000 probability, percentile 0.999010000 (date 2026-04-01)

CISA KEV: Listed on 2022-03-25; due 2022-04-15; ransomware use Known

Problem Types: CWE-787

CISA Known Exploited Vulnerability

Vendor	PHP
Product	FastCGI Process Manager (FPM)
Name	PHP FastCGI Process Manager (FPM) Buffer Overflow Vulnerability
Required Action	Apply updates per vendor instructions.
Notes	https://nvd.nist.gov/vuln/detail/CVE-2019-11043

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.10	All	All	All
Operating System	Canonical	Ubuntu Linux	12.04	All	All	All
Operating System	Canonical	Ubuntu Linux	14.04	All	All	All
Operating System	Canonical	Ubuntu Linux	16.04	All	All	All
Operating System	Canonical	Ubuntu Linux	18.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.04	All	All	All
Operating System	Canonical	Ubuntu Linux	19.10	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	9.0	All	All	All
Application	Php	Php	All	All	All	All
Application	Php	Php	All	All	All	All

References

Reference	Source	Link	Tags
Red Hat Customer Portal	REDHAT	access.redhat.com
CVE-2019-11043 PHP Vulnerability in NetApp Products \| NetApp Product Security	CONFIRM	security.netapp.com
Debian -- Security Information -- DSA-4552-1 php7.0	DEBIAN	www.debian.org	Third Party Advisory
PHP :: Sec Bug #78599 :: env_path_info underflow in fpm_main.c can lead to RCE	CONFIRM	bugs.php.net	Exploit, Issue Tracking, Patch, Vendor Advisory
GitHub - neex/phuip-fpizdam	MISC	github.com	Exploit, Third Party Advisory
[SECURITY] Fedora 31 Update: php-7.3.11-1.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[R1] Tenable.sc 5.19.0 Fixes Multiple Third-party Vulnerabilities - Security Advisory \| Tenable®	CONFIRM	www.tenable.com
Red Hat Customer Portal	REDHAT	access.redhat.com
[SECURITY] Fedora 30 Update: php-7.3.11-1.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
[security-announce] openSUSE-SU-2019:2457-1: important: Security update	SUSE	lists.opensuse.org
Red Hat Customer Portal	REDHAT	access.redhat.com
Red Hat Customer Portal	REDHAT	access.redhat.com
About the security content of macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra - Apple Support	CONFIRM	support.apple.com
[SECURITY] Fedora 31 Update: php-7.3.11-1.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Red Hat Customer Portal	REDHAT	access.redhat.com
USN-4166-1: PHP vulnerability \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com	Third Party Advisory
USN-4166-2: PHP vulnerability \| Ubuntu security notices \| Ubuntu	UBUNTU	usn.ubuntu.com	Third Party Advisory
support.f5.com/csp/article/K75408500	CONFIRM	support.f5.com
Red Hat Customer Portal	REDHAT	access.redhat.com
PHP-FPM 7.x Remote Code Execution ≈ Packet Storm	MISC	packetstormsecurity.com
Debian -- Security Information -- DSA-4553-1 php7.3	DEBIAN	www.debian.org	Third Party Advisory
[SECURITY] Fedora 30 Update: php-7.3.11-1.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
Red Hat Customer Portal	REDHAT	access.redhat.com
Red Hat Customer Portal	REDHAT	access.redhat.com
[SECURITY] Fedora 29 Update: php-7.2.24-1.fc29 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Bugtraq: APPLE-SA-2020-1-28-2 macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra	BUGTRAQ	seclists.org
[security-announce] openSUSE-SU-2019:2441-1: important: Security update	SUSE	lists.opensuse.org
myF5		support.f5.com
Synology Inc.	CONFIRM	www.synology.com
Full Disclosure: APPLE-SA-2020-1-28-2 macOS Catalina 10.15.3, Security Update 2020-001 Mojave, Security Update 2020-001 High Sierra	FULLDISC	seclists.org
[SECURITY] Fedora 29 Update: php-7.2.24-1.fc29 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis
CISA Known Exploited Vulnerabilities catalog	CISA	www.cisa.gov	kev

Vendor Comments And Credit

Discovery Credit

LEGACY: Reported by Emil Lerner.

Legacy QID Mappings

296078 Oracle Solaris 11.4 Support Repository Update (SRU) 16.4.0 Missing (CPUOCT2019)
376904 Alibaba Cloud Linux Security Update for Hypertext Preprocessor (PHP) (ALINUX2-SA-2019:0120)
376936 Alibaba Cloud Linux Security Update for php:7.3 (ALINUX3-SA-2022:0049)
378192 Virtuozzo Linux Security Update for php-xmlrpc (VZLSA-2019:3286)
378309 Virtuozzo Linux Security Update for php-soap (VZLSA-2019:3287)
501133 Alpine Linux Security Update for php7
710123 Gentoo Linux Hypertext Preprocessor (PHP) Arbitrary code execution Vulnerability (GLSA 201910-01)
752878 SUSE Enterprise Linux Security Update for php7 (SUSE-SU-2022:4067-1)
940198 AlmaLinux Security Update for php:7.2 (ALSA-2019:3735)
940274 AlmaLinux Security Update for php:7.3 (ALSA-2019:3736)
960709 Rocky Linux Security Update for php:7.3 (RLSA-2019:3736)
960785 Rocky Linux Security Update for php:7.2 (RLSA-2019:3735)