Preface: Let’s review on CVE-2019-11043, it is still valid today!
An underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx.
Background: Too many people have criticized the performance of Apache Server. And therefore , web application developers sometimes will decide turned their architecture focus to Event-driven Server. The design objective of event-driven server typically has a single thread which manages all connections to the server. The thread uses the select() system call to simultaneously wait for events on these connections. As such , event driven architecture greatly increased the volume and speed of connection services.
NGINX uses an event-driven architecture with nonblocking I/O. The design concept waits for events on the listen and connection sockets.
Nginx itself is just a simple HTTP server. If you need to run programs, you have to use the help of CGI.Sometimes use Nginx + PHP-FPM.But a drawback of CGI is that each page load incurs overhead by having to load the programs into memory. Scripts that process remote user input, such as the contents of a form or a “searchable index” command, may be vulnerable to attacks in which the remote user tricks them into executing commands.
Impact: Attack can exploits an underflow vulnerability in versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 of PHP-FPM on Nginx. Only servers with certains Nginx PHP-FPM configurations are exploitable. So, be alerted!