Paper Lantern for cPanel accounts is being retired this year. Find out more »
cPanel & WHM Version 102 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Improve handling of security issues

Monarobase shared this idea 50 days ago
Needs Review

As a web-hosting provider, I would like cPanel to notify its customers when there is a security issue that requires a feature to be disabled and also fix known security issues faster, so that cPanel servers don't get hacked.


The recent security issue with Horde has been very poorly managed by cPanel, and I would like cPanel to improve the way they manage such security issues.


The current timeline for the horde security issue is


https://support.cpanel.net/hc/en-us/articles/6483941705239-CVE-2022-30287-RCE-Vulnerability-reportedly-discovered-in-horde-


31/05/2022 (26 days ago) CVE-2022-30287 was publicly announced in a blog post by the security researcher

10/06/2022 (15 days ago ) cPanel aknoleges the security issue publicly here without informing their customers by any other means : https://support.cpanel.net/hc/en-us/articles/6483941705239-CVE-2022-30287-RCE-Vulnerability-reportedly-discovered-in-horde- 12/06/2022 (12 days ago) Horde releases Turba 4.2.28 to fix these issues

16/06/2022 (9 days ago) Plesk releases an updated version of Horde

25/06/2022 (today) cPanel has still not informed their customers by e-mail or within the WHM interface that they need to disable horde. cPanel also hasn't provided an ETA to updating horde.


and has not released a fix for this issue. cPanel's support say they do not have access to an ETA.


What should have happened :


cPanel should have detected the security issue earlier and determined the current workaround (disable horde) within 48 hours.

cPanel should have informed their customers that they need to disable horde within a few days.

cPanel should have released a fixed version with 5 days at least to their edge branch


We would like cPanel to add a message to WHM when logging in as root user when a security issue requires their intervention, we would also like cPanel to create a security mailing list to which sysadmins can subscribe to be notified about security issues.


We would also like cPanel to improve the speed at which cPanel resolves security issues and also provide ETAs for releasing security fixes when they are publicly known.

Leave a Comment
 
Attach a file