Security Alert (A19-09-02): Multiple Vulnerabilities in PHP


 

Published on: 06 September 2019

Description:

Multiple vulnerabilities have been found in PHP. A remote attacker may exploit the vulnerabilities by sending specially crafted requests to an affected system.

Please note that PHP version 7.1 will reach its end-of-life on 1.12.2019 and no security updates will be provided after that. Support for older PHP versions, including version 7.0 and 5.x, were ceased. Users should arrange upgrading the PHP to the latest version or migrating to other supported technology.

 

Affected Systems:

  • PHP 7.1 prior to 7.1.32
  • PHP 7.2 prior to 7.2.22
  • PHP 7.3 prior to 7.3.9

 

Impact:

Attempts to exploit the vulnerabilities could lead to arbitrary code execution and denial of services on an affected system.

 

Recommendation:

PHP has released new versions to address the issues and they can be downloaded at the following URLs:

  • PHP version 7.1.32
    https://www.php.net/downloads.php#v7.1.32

  • PHP version 7.2.22
    https://www.php.net/downloads.php#v7.2.22

  • PHP version 7.3.9
    https://www.php.net/downloads.php#v7.3.9

Administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

https://www.php.net/ChangeLog-7.php#7.1.32
https://www.php.net/ChangeLog-7.php#7.2.22
https://www.php.net/ChangeLog-7.php#7.3.9
https://www.php.net/supported-versions.php
https://www.us-cert.gov/ncas/current-activity/2019/09/05/ms-isac-releases-advisory-php-vulnerabilities
https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2019-087/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13224

 



Tag: PHP
Tags