Critical PHP Vulnerabilities Fixed: Secure Your Applications
Recently, multiple vulnerabilities have been discovered in PHP that could lead to denial of service, CRLF injection, or information disclosure. These issues have been patched in PHP 8.1.31, 8.2.26, and 8.3.14 versions, but earlier versions remain affected. Therefore, upgrading to the latest patched versions is essential for securing your applications.
Overview of PHP Vulnerabilities
CVE-2024-8929
A vulnerability in PHP versions 8.1.* (prior to 8.1.31), 8.2.* (prior to 8.2.26), and 8.3.* (prior to 8.3.14) allows a malicious MySQL server to exploit client interactions. By disclosing the client’s heap content, the attacker could access data from other SQL requests and potentially compromise information from different users on the same server.
CVE-2024-8932
Uncontrolled long string inputs to the ldap_escape()
function on 32-bit systems can lead to integer overflow and out-of-bounds writes. This PHP vulnerability, present in the same affected versions, could result in application crashes or undefined behavior.
CVE-2024-11233
An error in the convert.quoted-printable-decode filter can cause a buffer over-read by one byte. This issue may lead to crashes or the disclosure of memory contents under certain conditions.
CVE-2024-11234
Improper sanitization of URIs when using streams with a configured proxy and the request_fulluri option allows for HTTP request smuggling. This enables attackers to use the proxy to execute arbitrary HTTP requests originating from the server, potentially accessing restricted resources.
CVE-2024-11236
Similar to CVE-2024-8932, uncontrolled long string inputs to the ldap_escape() function on 32-bit systems can trigger integer overflow, causing application instability and undefined behavior.
Affected PHP Versions
These vulnerabilities affect all PHP 8.x versions prior to: 8.1.31, 8.2.26, and 8.3.14. Older PHP versions, including 5.x and 7.x, are also vulnerable. Users relying on outdated versions must take immediate action, as these will not receive official security updates. For Linux distributions still relying on these versions, security updates depend on the vendor’s support or third-party providers.
Organizations using end-of-life PHP versions face significant risks, as these versions no longer receive official security updates. TuxCare’s Endless Lifecycle Support for PHP can bridge this gap by providing extended security updates for legacy PHP versions, including 5.x to 7.x, and current releases.
TuxCare’s repository offers a seamless solution, allowing businesses to access and secure outdated PHP versions while they plan migrations. This ensures continued protection against vulnerabilities like those discussed above.
You can monitor the patch availability for PHP vulnerabilities in this CVE tracker.
Source: DSA 5819-1