PHP remote execution vulnerabilities - 2018-10-16 bulletin

Follow

This morning, we became aware of a couple of announcements from the Centre for Internet Security that some recently discovered vulnerabilities in PHP have been publicly disclosed.  These include a severe vulnerability that may allow for the remote injection and execution of arbitrary code on a webserver that uses PHP.

The problem exists in PHP 7.2 in versions before 7.2.11, and in PHP 7.1 before 7.1.23.  It is not clear from the announcements if the problem exists in older versions of PHP.

Recommendations

  • For PHP 7.x, we recommend applying all package updates for PHP as soon as they are available for your Linux distribution.
  • For older versions, especially PHP versions that are officially EOL'd you may need to do more research to find out if your version of PHP is vulnerable or not.  Either way, applying all package updates for PHP is highly advisable and recommended.
Have more questions? Submit a request

Comments

Powered by Zendesk