Multiple high-severity flaws in the open-source OpenLiteSpeed Web Server and its enterprise variant have been discovered, which could be exploited to achieve remote code execution.
"Adversaries could compromise the web server and gain fully privileged remote code execution by chaining and exploiting the vulnerabilities," Palo Alto Networks Unit 42 said in a Thursday report.
OpenLiteSpeed, the open-source edition of LiteSpeed Web Server, is the world's sixth most popular web server, with 1.9 million unique servers.
The first of the three flaws is a directory traversal flaw (CVE-2022-0072, CVSS score: 5.8) that could be used to gain access to restricted files in the web root directory.
The remaining two vulnerabilities (CVE-2022-0073 and CVE-2022-0074, CVSS scores: 8.8) are related to privilege escalation and command injection, respectively, which could be chained to achieve privileged code execution.
CVE-2022-0073 was discovered by Unit 42 researchers Artur Avetisyan, Aviv Sasson, Ariel Zelivansky, and Nathaniel Quist. "A threat actor who managed to gain the credentials to the dashboard, whether through brute-force attacks or social engineering, could exploit the vulnerability in order to execute code on the server," they said.
The problems affect many versions of OpenLiteSpeed (from 1.5.11 to 1.7.16) and LiteSpeed (from 5.4.6 to 6.0.11), and have been fixed in versions 1.7.16.1 and 6.0.12 following responsible disclosure on October 4, 2022.
——-
Update:
OLS Upgraded from 1.6 to 1.7.16 :
Hello Everyone,
On all connected servers, we have updated and upgraded the Openlitespeed version from 1.6 to 1.7.16 with the latest patch.
LiteSpeed/1.7.16 Open (BUILD built: Mon Oct 17 21:33:28 UTC 2022).
On a newly configured server, you will also receive OLS version 1.7.16.
To determine your server's OLS version, use the following command.
/usr/local/lsws/bin/openlitespeed -v
Hi there,
As it’s already Nov, Managed-WP Team wants to remind you about a HUGE promotion just around the corner: Black Friday.
This year, Black Friday falls on 25th November, and we’re ready to make it our biggest ever.
With this in mind, it’s time to prepare. Here’s the brief:
- We’re launching the special discount code: BFCM2270. Users signing up with this code will get an extra 70% off Managed-WP PRO hosting (not applicable to monthly plans)
- The deal is valid from 8rd November until 5th December 2022
Please let us know if there’s any way we can support you in making this the most successful Black Friday budget save plan yet.
Best regards,
Angela
CODE: LTD40
REDEEM PREIOD: FROM NOW TIL 4 NOV 2022.
Terms & Conditions
You are eligible for receiving our services under the laws of HKSAR.
1.This offer is only valid for all customers.
2.Each claimant is entitled to unlimited coupons.
3.Each coupon is eligible for a single-use, non-transferable, and valid for a lifetime until unsubscribing of Managed-WP.™ PRO plan or Managed-WP.™ PRO plan end of life.
4.You must sign up with the promo code and upgrade your account to avail of this offer.
5.This offer cannot be used with any other existing Managed-WP.™ offer.
Exclusive Managed-WP.™ PRO Promo Code for All Customers!
Get a Whopping 40% Off for Life!
CODE: LTD40
REDEEM PREIOD: FROM NOW TIL 31 AUG 2022.
Terms & Conditions
You are eligible for receiving our services under the laws of HKSAR.
1.This offer is only valid for all customers.
2.Each claimant is entitled to unlimited coupons.
3.Each coupon is eligible for a single-use, non-transferable, and valid for a lifetime until unsubscribing of Managed-WP.™ PRO plan or Managed-WP.™ PRO plan end of life.
4.You must sign up with the promo code and upgrade your account to avail of this offer.
5.This offer cannot be used with any other existing Managed-WP.™ offer.
Hi,
We are excited to announce NEXT-GEN Premium Managed WordPress hosting - Managed-WP.™ PRO !
Managed-WP.™ PRO is included the following:
-Build on Vultr Infrastructure with 7 locations
-Free Global Unlimited CDN: BunnyCDN
-Included Auto and Manual backup: To protect your website from any disasters.
-Highest efficiency webserver: LiteSpeed Enterprise with Cache helps you process 10x process then traditional webserver.
- 24/7 Premium WordPress Support
Check it now in https://managed-wp.com
Johnny Lee
Customer Success @Managed-WP.™
Why should you use OpenLiteSpeed?
Vultr cloud orchestration takes over and runs up your instance in the data center of your choice as soon as you click deploy.
Deploy OLS in mins
Use our pre-built OpenLiteSpeed stack to get started delivering your next PHP application. The admin portal, firewall, and database have all been pre-configured and are ready to go live on the internet!
Features that are extremely effective
OpenLiteSpeed is based on the LiteSpeed corporate web server. It includes a robust event-driven design, Apache rewrite support, cache acceleration, bandwidth limiter, and much more!
To learn more about OpenLiteSpeed, click here.