If you’re reading this blog regularly, you’ll already know that unremedied security vulnerabilities open the door to cyberattacks. You’ll also know how tough it is to fix some of these vulnerabilities. For example: where a vulnerability is in an older version of a programming language and you’re still relying on that older language version for important workloads.

Thankfully, that’s the challenge we’re fixing with our new PHP Extended Lifecycle Support – a critical tool that helps you run your older PHP apps safely and securely. It’s just rolled out, and you can already fix hundreds of PHP security problems with it. Let’s take a look.

What is PHP extended lifecycle support (ELS)?

PHP, like any other component of the tech stack, accumulates vulnerabilities over time. New flaws that emerge are eventually exploited in the wild, and hackers start relying on these exploits to gain access to networks – probing systems for the presence of a known vulnerability. That said, every new version of PHP brings fixes to known vulnerabilities.

Fixing these vulnerabilities is critical because, cumulatively, hundreds of unfixed vulnerabilities become a huge security hole. When the vulnerability is in a certain version of PHP, e.g. PHP 5.5, the only way to fix it is to upgrade the PHP version. But in many instances, it is not a simple process given that changes in language version can require significant code adjustments.

PHP Extended Lifecycle Support provides support for your PHP code by fixing security issues at the language level – directly in the language package. However, it does so without changing the way that language works. It means that you fix the security vulnerabilities, without changing any code in your apps and without risking your apps breaking.

Right now, our PHP ELS service already covers a very large list of vulnerabilities, across multiple different versions. For example, PHP 5.5 is still commonly used even if it’s a relatively old version of PHP – and TuxCare PHP ELS can patch it for over 220 vulnerabilities.

Do I really need it….?

Ask yourself this simple question: are you using an outdated version of PHP? Let’s say you are still using PHP 5.5. It’s a version of the language that has a couple of hundred unfixed vulnerabilities which is not something you can ignore. If it is the case that your organization cannot easily switch to an updated version of PHP then you should seriously think about our ELS service for PHP.

Besides, over time, the existing list of vulnerabilities will only continue to grow, as new ones are identified and patched. For other versions of PHP, it is a similar situation, but different vulnerabilities affect each version.

As an example, take the bug outlined here on the PHP website. It’s the first one on the list below, and it means that specially crafted code raises the privileges of a user all the way to root – and it’s because of a flaw in PHP. It’s a major security risk, but it is easy to fix this flaw – and avoid the risk – thanks to TuxCare’s PHP ELS.

That’s true for all of the bugs we list below. We provide this list to give you insight into how effective PHP ELS from TuxCare already is – and to remind you of the many PHP vulnerabilities out in the wild. The bug numbers listed below refer to the identifier shown at https://bugs.php.net/bug.php which is a repository for PHP vulnerabilities.

– Fix bug #81026: PHP-FPM oob R/W in root process leading to privilege escalation (CVE-2021-21703)
– Fix bug #79971: special character is breaking the path in xml function. (CVE-2021-21707)
– Fix bug #81305: Built-in Webserver Drops Requests With “Upgrade” Header.
– Fix bug #72595: php_output_handler_append illegal write access.
– Fix bug #81211: Symlinks are followed when creating PHAR archive.(cmb)in firebird_info_cb. (CVE-2021-21704)
– Fix bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704)
– Fix bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704)
– Fix bug #76452: Crash while parsing blob data in firebird_fetch_blob. (CVE-2021-21704)
– Fix bug #70091: Phar does not mark UTF-8 filenames in ZIP archives
– Fix bug #80719: Iterating after failed ArrayObject::setIteratorClass() causes Segmentation fault
– Fix bug #75850: Unclear error message wrt. __halt_compiler() w/o semicolon
– Fix bug #73533: Invalid memory access in php_libxml_xmlCheckUTF8
– Fix bug #66783: UAF when appending DOMDocument to element
– Fix bug #80672: Null Dereference in SoapClient. (CVE-2021-21702)
– Fix bug #73809: Phar Zip parse crash – mmap fail
– Fix bug #80366: Potential issue in ext/standard/iptc.c: Return Value Not Checked
– Fix bug #79699: PHP parses encoded cookie names so malicious `__Host-` cookies can be sent (CVE-2020-7070)
– Fix bug #80007: Potential type confusion in unixtojd() parameter parsing
– Fix bug #62890: default_socket_timeout=-1 causes connection to timeout
– Fix bug #70362: Can’t copy() large ‘data://’ with open_basedir
– Fix bug #73527: Invalid memory access in php_filter_strip
– Fix bug #74267: segfault with streams and invalid data
– Fix bug #79787: mb_strimwidth does not trim string
– Fix bug #79877: getimagesize function silently truncates after a null byte
– Fix bug #78221: DOMNode::normalize() doesn’t remove empty text nodes
– Fix bug #78875: Long variables cause OOM and temp files are not cleaned (CVE-2019-11048)
– Fix bug #78876: Long variables in multipart/form-data cause OOM and temp files are not cleaned (CVE-2019-11048)
– Fix bug #79497: stream_socket_client() throws an unknown error sometimes with <1s timeout
– Fix bug #79514: Memory leaks while including unexistent file
– Fix bug #79528: Different object of the same xml between 7.4.5 and 7.4.4
– Fix bug #61597: SXE properties may lack attributes and content
– Fix bug #74940: DateTimeZone loose comparison always true
– Fix bug #75673: SplStack::unserialize() behavior
– Fix bug #79200: Some iconv functions cut Windows-1258
– Fix bug #79296: ZipArchive::open fails on empty file
– Fix bug #79330: shell_exec() silently truncates after a null byte
– Fix bug #79364: When copy empty array, next key is unspecified
– Fix bug #79396: setting Date/Time during a forward DST transition
– Fix bug #79410: system() swallows last chunk if it is exactly 4095 bytes without newline
– Fix bug #79424: php_zip_glob uses gl_pathc after call to globfree
– Fix bug #79465: OOB Read in urldecode() (CVE-2020-7067)
– Fix bug #79078: Hypothetical use-after-free in curl_multi_add_handle
– Fix bug #79282: Use-of-uninitialized-value in exif (CVE-2020-7064)
– Fix bug #79329: get_headers silently truncates after a null byte (CVE-2020-7066)
– Fix bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` (CVE-2020-7060)
– Fix bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)
– Fix bug #79099: OOB read in php_strip_tags_ex (CVE-2020-7059)
– Fix bug #79221: Null Pointer Dereference in PHP Session Upload Progress (CVE-2020-7062)
– Fix bug #78793: Use-after-free in exif parsing under memory sanitizer
– Fix bug #78878: Buffer underflow in bc_shift_addsub. (CVE-2019-11046)
– Fix bug #78910: Heap-buffer-overflow READ in exif. (CVE-2019-11047)
– Fix bug #78863: DirectoryIterator class silently truncates after a nullbyte. (CVE-2019-11045)
– Fix bug #76342: file_get_contents waits twice specified timeout
– Fix bug #76859: stream_get_line skips data if used with data-generating filter
– Fix bug #78579: mb_decode_numericentity: args number inconsistency
– Fix bug #78599: env_path_info underflow can lead to RCE. (CVE-2019-11043)
– Fix bug #78380: Oniguruma 6.9.3 fixes CVEs. (CVE-2019-13224)
– Fix bug #69100: Bus error from stream_copy_to_stream
– Fix bug #75457: heap-use-after-free
– Fix bug #77946: Bad cURL resources returned by curl_multi_info_read
– Fix bug #78333: Exif crash (bus error) due to wrong alignment and invalid cast
– Fix bug #78342: Bus error in configure test for iconv //IGNORE
– Fix bug #78363: Buffer overflow in zendparse
– Fix bug #77124: FTP with SSL memory leak
– Fix bug #78192: PDO SQLite SegFault when reuse statement after schema has changed
– Fix bug #78212: Segfault in built-in webserver
– Fix bug #78222: heap-buffer-overflow on exif_scan_thumbnail
– Fix bug #78256: heap-buffer-overflow on exif_process_user_comment
– Fix bug #78279: libxml_disable_entity_loader settings is shared between requests (cgi-fcgi)
– Fix bug #78291: Missing opcache directives
– Fix bug #77967: Bypassing open_basedir restrictions via file uris
– Fix bug #77973: Uninitialized read in gdImageCreateFromXbm
– Fix bug #77988: heap-buffer-overflow on php_jpg_get16
– Fix bug #78069: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
– Fix bug #50020: DateInterval:createDateFromString() silently fails
– Fix bug #76717: var_export() does not create a parsable value for PHP_INT_MIN
– Fix bug #77024: SplFileObject::__toString() may return array
– Fix bug #77664: Segmentation fault when using undefined constant in custom wrapper
– Fix bug #77677: WCOREDUMP not available on all systems
– Fix bug #77697: Crash on Big_Endian platform
– Fix bug #77700: Writing truecolor images as GIF ignores interlace flag
– Fix bug #77722: Incorrect IP set to $_SERVER[‘REMOTE_ADDR’] on the localhost
– Fix bug #77742: bcpow() implementation related to gcc compiler optimization
– Fix bug #77765: FTP stream wrapper should set the directory as executable
– Fix bug #77921: static.php.net doesn’t work anymore
– Fix bug #77934: php-fpm kill -USR2 not working
– Fix bug #77943: imageantialias($image, false); does not work
– Fix bug #77944: Wrong meta pdo_type for bigint on LLP64
– Fix bug #77945: Segmentation fault when constructing SoapClient with WSDL_CACHE_BOTH
– Fix bug #51068: glob:// do not support current path relative
– Fix bug #77390: feof might hang on TLS streams in case of fragmented TLS records)
– Fix bug #77396: Null Pointer Dereference in phar_create_or_parse_filename
– Fix bug #77431: SplFileInfo::__construct() accepts NUL bytes
– Fix bug #77540: Invalid Read on exif_process_SOFn
– Fix bug #77546: iptcembed broken function
– Fix bug #77563: Uninitialized read in exif_process_IFD_in_MAKERNOTE
– Fix bug #77586: phar_tar_writeheaders_int() buffer overflow
– Fix bug #77630: safer rename() procedure
– Fix bug #77242: heap out of bounds read in xmlrpc_decode()
– Fix bug #77247: heap buffer overflow in phar_detect_phar_fname_ext
– Fix bug #77269: Potential unsigned underflow in gdImageScale
– Fix bug #77270: imagecolormatch Out Of Bounds Write on Heap
– Fix bug #77371: heap buffer overflow in mb regex functions – compile_string_node
– Fix bug #77380: Global out of bounds read in xmlrpc base64 code
– Fix bug #77418: Heap overflow in utf32be_mbc_to_code
– Fix bug #66828: iconv_mime_encode Q-encoding longer than it should be
– Fix bug #76800: foreach inconsistent if array modified during loop)
– Fix bug #76901: method_exists on SPL iterator passthrough method corrupts memory
– Fix bug #76480: Use curl_multi_wait() so that timeouts are respected
– Fix bug #76832: ZendOPcache.MemoryBase periodically deleted by the
– Fix bug #75696: posix_getgrnam fails to print details of group
– Fix bug #74454: Wrong exception being thrown when using ReflectionMethod
– Fix bug #73457: Wrong error message when fopen FTP wrapped fails to open data connection
– Fix bug #74764: and add a test case
– Fix bug #76886: Can’t build xmlrpc with expat
– Fix bug #75273: php_zlib_inflate_filter() may not update bytes_consumed
– Fix bug #76505: array_merge_recursive() is duplicating sub-array keys
– Fix bug #76532: excessive memory usage in mb_strimwidth
– Fix bug #76548: pg_fetch_result did not fetch the next row
– Fix bug #76488: Memory leak when fetching a BLOB field
– Fix bug #73817: Incorrect entries in get_html_translation_table
– Fix bug #52974: jewish.c: compile error under Windows with GBK charset
– Fix bug #76665: SQLite3Stmt::bindValue() with SQLITE3_FLOAT doesn’t juggle
– Fix bug #75402: Possible Memory Leak using PDO::CURSOR_SCROLL option
– Fix bug #76335: “link(): Bad file descriptor” with non-ASCII path
– Fix bug #76704: mb_detect_order return value varies based on argument type
– Fix bug #72443: Generate enabled extension
– Fix bug #65988: Zlib version check fails
– Fix bug #68175: RegexIterator pregFlags are NULL instead of 0
– Fix bug #76296: openssl_pkey_get_public does not respect open_basedir
– Fix bug #68825: Exception in DirectoryIterator::getLinkTarget()
– Fix bug #55146: iconv_mime_decode_headers() skips some headers
– Fix bug #63839: iconv_mime_decode_headers function is skipping headers
– Fix bug #60494: iconv_mime_decode does ignore special characters
– Fix bug #68180: iconv_mime_decode can return extra characters in a header
– Fix bug #76367: NoRewindIterator segfault 11
– Fix bug #76383: array_map on $GLOBALS returns IS_INDIRECT
– Fix bug #73342: Vulnerability in php-fpm by changing stdin to non-blocking
– Fix bug #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
– Fix bug #76249: Stream filter convert.iconv leads to infinite loop on invalid sequence
– Fix bug #76248: LDAP-Server Response causes Crash
– Fix bug #76129: (CVE-2018-10547) Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file
– Fix bug #75981: Stack-buffer-overflow while parsing HTTP response
– Fix bug #75571: Potential infinite loop in gdImageCreateFromGifCtx
– Fix bug #74782: Reflected XSS in .phar 404 page
– Fix bug #74145: wddx parsing empty boolean tag leads to SIGSEGV (CVE-2017-11143)
– Fix bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal() (CVE-2017-11144)
– Fix bug #74819: wddx_deserialize() heap out-of-bound read via php_parse_date() (CVE-2017-11145)
– Fix bug #74435: Buffer over-read into uninitialized memory (CVE-2017-7890)
– Fix bug CVE-2017-9224: Buffer Overflow in match_at() (Oniguruma issue)
– Fix bug CVE-2017-9226: Heap corruption in next_state_val() in 15 encodings (Oniguruma issue)
– Fix bug CVE-2017-9227: Bug in mbc_enc_len() (Oniguruma issue)
– Fix bug CVE-2017-9228: Heap corruption in next_state_val() due to uninitialized local variable (Oniguruma issue)
– Fix bug CVE-2017-9229: SIGSEGV in left_adjust_char_head() due to bad dereference (Oniguruma issue)
– Fix bug #74087: Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)
– Fix bug #74603: PHP INI Parsing Stack Buffer Overflow Vulnerability
– Fix bug #69090: opcache: add prefix/xor to cache keys/check permissions or separate caches
– Fix bug #72627: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)
– Fix bug #73764: Crash while loading hostile phar archive (CVE-2016-10159)
– Fix bug #73768: Memory corruption when loading hostile phar (CVE-2016-10160)
– Fix bug #73825: Heap out of bounds read on unserialize in finish_nested_data() (CVE-2016-10161)
– Fix bug #68447: grapheme_extract take an extra trailing character
– Fix bug #70213: Unserialize context shared on double class lookup
– Fix bug #73549: Use after free when stream is passed to imagepng
– Fix bug #73737: FPE when parsing a tag format (CVE-2016-10158)
– Fix bug #73773: Seg fault when loading hostile phar
– Fix bug #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
– Fix bug #73869: Signed Integer Overflow gd_io.c
– Fix bug #73452: Segfault (Regression for #69152)
– Fix bug #73631: Invalid read when wddx decodes empty boolean element
– Fix bug #73356: crash in bzcompress function
– Fix bug CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf
– Fix bug #72482: Illegal write/read access caused by gdImageAALine overflow
– Fix bug #72696: imagefilltoborder stackoverflow on truecolor images
– Fix bug #73418: Integer Overflow in “_php_imap_mail” leads Heap Overflow
– Fix bug #73144: Use-after-free in ArrayObject Deserialization
– Fix bug #73192: parse_url return wrong hostname
– Fix bug #73331: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
– Fix bug #73189: Memcpy negative size parameter php_resolve_path
– Fix bug #73147: Use After Free in unserialize()
– Fix bug #73190: memcpy negative parameter _bc_new_num_ex
– Fix bug #73150: missing NULL check in dom_document_save_html
– Fix bug #73284: heap overflow in php_ereg_replace function
– Fix bug CVE-2016-7568: Integer Overflow in gdImageWebpCtx of gd_webp.c
– Fix bug #73218: stack-buffer-overflow through “ResourceBundle” methods
– Fix bug #73208: integer overflow in imap_8bit caused heap corruption
– Fix bug #73082: string length overflow in mb_encode_* function
– Fix bug #73174: heap overflow in php_pcre_replace_impl
– Fix bug #73276: crash in openssl_random_pseudo_bytes function
– Fix bug #73275: crash in openssl_encrypt function
– Fix bug #73017: memory corruption in wordwrap function
– Fix bug #73240: Write out of bounds at number_format
– Fix bug #73073: CachingIterator null dereference when convert to string
– Fix bug #73293: NULL pointer dereference in SimpleXMLElement::asXML()
– Fix bug #73052: CVE-2016-7411: Memory Corruption in During Deserialized-object Destruction
– Fix bug #72293: CVE-2016-7412: Heap overflow in mysqlnd related to BIT fields
– Fix bug #72860: CVE-2016-7413: wddx_deserialize use-after-free
– Fix bug #72928: CVE-2016-7414: Out of bound when verify signature of zip phar in phar_parse_zipfile
– Fix bug #73007: CVE-2016-7416: SEH buffer overflow msgfmt_format_message
– Fix bug CVE-2016-7417: Missing type check when unserializing SplArray
– Fix bug CVE-2016-7418: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
– Fix bug #72837: integer overflow in bzdecompress caused heap corruption (bz2)
– Fix bug #70436: Use After Free Vulnerability in unserialize() (core)
– Fix bug #72024: microtime() leaks memory (core)
– Fix bug #72633: Create an Unexpected Object and Don’t Invoke __wakeup() in Deserialization (core)
– Fix bug #72681: PHP Session Data Injection Vulnerability (core)
– Fix bug #72807: integer overflow in curl_escape caused heap corruption (curl)
– Fix bug #72838: Integer overflow lead to heap corruption in sql_regcase (ereg)
– Fix bug #72697: select_colors write out-of-bounds (gd)
– Fix bug #72730: imagegammacorrect allows arbitrary write access (gd)
– Fix bug #72708: php_snmp_parse_oid integer overflow in memory allocation (snmp)
– Fix bug #72836: integer overflow in base64_decode caused heap corruption (standard)
– Fix bug #72848: integer overflow in quoted_printable_encode caused heap corruption (standard)
– Fix bug #72849: integer overflow in urlencode caused heap corruption (standard)
– Fix bug #72850: integer overflow in php_uuencode caused heap corruption (standard)
– Fix bug #72771: ftps:// wrapper is vulnerable to protocol downgrade attack (streams)
– Fix bug #72749: wddx_deserialize allows illegal memory access (wddx)
– Fix bug #72750: wddx_deserialize null dereference (wddx)
– Fix bug #72790: wddx_deserialize null dereference with invalid xml (wddx)
– Fix bug #72799: wddx_deserialize null dereference in php_wddx_pop_element (wddx)
– Fix bug #69288: Regression introduced in fix for bug 69085 leads to a segmentation fault

Every old version of PHP will have vulnerabilities. As you can see above, it could be hundreds of vulnerabilities. But yes, you could be stuck with that PHP version for some of your applications, and it’s a tough position to be in.

Thankfully, applying TuxCare’s PHP security fixes to a workload is simple. We provide a set of packages containing the latest security fixes but backported to be compatible with the specific PHP version that you need.

Simply swap out a couple of packages and your older PHP version is fully supported. Want to test drive PHP ELS from TuxCare? Talk to an expert today!