Information about vulnerabilities in LiteSpeed

LiteSpeed, the web server we use, has three serious vulnerabilities in an earlier version. Our servers are not affected.

Unit 42, an American IT security company, has today published information about three vulnerabilities in LiteSpeed, the web server that we use for most of our servers. Our servers are not affected.

What do the vulnerabilities mean?

By exploiting the serious vulnerabilities (CVE-2022-0073 and CVE-2022-0074), an attacker can remotely execute code and escalate privileges up to root. This requires the attacker to have gained access to the administrator interface.

The third vulnerability (CVE-2022-0072) allows an attacker to search the file system and gain access to files in the root directory of the web server.

You can read more about the vulnerability at CERT-SE and at Unit 42.

Our servers are not affected

LiteSpeed is the web server used on almost all of our servers. The version we use is not affected by this vulnerability. The vulnerability is in earlier versions (5.4.6 up to 6.0.11) and all our servers have since been updated to a later version.