This morning, we became aware of a couple of announcements from the Centre for Internet Security that some recently discovered vulnerabilities in PHP have been publicly disclosed. These include a severe vulnerability that may allow for the remote injection and execution of arbitrary code on a webserver that uses PHP.
- MS-ISAC 2018-113 - Multiple vulnerabilities in PHP could allow for arbitrary code execution - dated 2018-10-12.
- MS-ISAC 2018-092 - Multiple vulnerabilities in PHP could allow for arbitrary code execution - dated 2018-08-20.
The problem exists in PHP 7.2 in versions before 7.2.11, and in PHP 7.1 before 7.1.23. It is not clear from the announcements if the problem exists in older versions of PHP.
- For PHP 7.x, we recommend applying all package updates for PHP as soon as they are available for your Linux distribution.
- For older versions, especially PHP versions that are officially EOL'd you may need to do more research to find out if your version of PHP is vulnerable or not. Either way, applying all package updates for PHP is highly advisable and recommended.