EasyEngine 3.5.6 Fixes ImageMagick Remote Code Execution Vulnerability

TL;DR; Just run ee update as soon as possible on all server running EasyEngine.


imagetragick-logoA serious vulnerability has been discovered in ImageMagick, which is widely popular package used for image processing. EasyEngine installs ImageMagick for all PHP sites.  WordPress uses ImageMagick first, before falling back to GD library.

ImageMagick is currently working on a patch, available in the latest source code on GitHub, but it’s incomplete and not yet ready for official release.

You can read more about this at ImageTragick.

Workarounds

Below are some workarounds.

#1. Update EasyEngine

You can update EasyEngine using ee update to latest version 3.5.6.

This update fixes ImageMagick policy.xml file which one of two recommended way.

Read next point for more details.

#2. Fix ImageMagick Manually

You can do one of two things, but if possible do both. (source https://imagetragick.com/)

  1. Verify that all image files begin with the expected “magic bytes” corresponding to the image file types you support before sending them to ImageMagick for processing.

  2. Use a policy file to disable the vulnerable ImageMagick coders. The global policy for ImageMagick is usually found in “/etc/ImageMagick”.  The below policy.xml example will disable the coders EPHEMERAL, URL, MVG, and MSL.

The first one is hard to do as it will require application level modification.

The second one is easier to fix. Please edit ImageMagick policy file /etc/ImageMagick/policy.xml add following lines to it:

<policymap>
  <policy domain="coder" rights="none" pattern="EPHEMERAL" />
  <policy domain="coder" rights="none" pattern="URL" />
  <policy domain="coder" rights="none" pattern="HTTPS" />
  <policy domain="coder" rights="none" pattern="MVG" />
  <policy domain="coder" rights="none" pattern="MSL" />
</policymap>

EasyEngine v3.5.6 update uses this second method.

Unfortunately, EasyEngine cannot provide patch for first method. It’s better you read next point also.

#3. Remove ImageMagick

As mentioned earlier, WordPress doesn’t depend on ImageMagick and can be safely removed as far as core WordPress image processing is concerned.

So if you do not have any functionality that depends on ImageMagick, you can remove ImageMagick from your server using following command:

For PHP 5.6 and PHP 7.x, use

apt-get remove php-imagick

For PHP 5.5 or earlier, use

apt-get remove php5-imagick

What’s Next?

We hope to release another minor update once ImageMagick team completes fix in core package.

In meantime, you can monitor imagetragick.com for more updates.

Links: ImageTragick | EasyEngine 3.5.6