How to Fix the Recent Plesk Security Vulnerability

All versions of Plesk released before September of 2011 are vulnerable to a security issue which can compromise your server. Codero has seen hundreds of Plesk servers compromised through this security vulnerability,  so we recommend that you take immediate action to resolve this.

Note:  If you are a managed server customer, Codero  has already patched your server(s) and no action is needed on your part.  If you are not a managed server customer, patching your server is your responsibility.  If you need assistance, Codero staff can patch your server(s) for you at our Advanced Support rate of $99/hour.  Please login to ServerPortal.com and submit a support ticket if you wish Codero to patch your server for you.

You can check if you are vulnerable by running this script from Parallels. If the script says “Plesk is up to date” or “The patch has been successfully applied” you do not need to do anything further.

If you receive the message “The patch has not been applied” you need to update Plesk to a newer, more secure version.

You need to know what major version of Plesk you are on to update. Instructions for finding your version of Plesk. An example version is “9.2.1 CentOS 5 92090422.13”. This server is on major version 9, minor version 2.1, with microupdate #13.

The official Parallels directions on how to run the autoinstaller to apply updates are here.

If you are on major version 8, you need to update to 8.6.0. If you are already on 8.6.0, you may need to run the autoinstaller twice to upgrade the autoinstaller itself to be able to receive microupdates. 8.6.0 with microupdate #2 is the first safe version.

If you are on major version 9.x, run the autoinstaller and select version 9.5.4. 9.5.4 with microupdate #11 is the first safe version.

If you are on major version 10.x, upgrade to at least 10.3.3 and install all microupdates through the autoinstaller.

Once you are done upgrading, please run the vulnerability checker again to verify you have fixed the issue. If you are not able to perform the update for any reason, please open a ticket through Server Portal.

Please note, if your server becomes compromised due to this vulnerability and you did not patch despite the multiple notices from Codero, the Server Protection Plan will not be in effect for the compromise. 

Updates

  • There are currently no updates. Please subscribe for updates or check back soon.