ClickCease Two Critical PHP Vulnerabilities Fixed

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Two Critical PHP Vulnerabilities Fixed

Rohan Timalsina

September 18, 2023 - TuxCare expert team

Recently, two critical security vulnerabilities have been addressed in PHP that could allow an attacker to steal sensitive information, cause a system crash, and execute arbitrary code in the affected machine. These vulnerabilities were caused by PHP’s improper handling of certain XML files (CVE-2023-3823) and certain PHAR files (CVE-2023-3824).

Both vulnerabilities were found in PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8. The new PHP updates have been made available to fix these high-severity vulnerabilities. Therefore, updating to the latest version as soon as possible is crucial to keep your system safe from risks associated with these exploitable vulnerabilities.


PHP Vulnerabilities Addressed


In PHP, various XML functions depend on the libxml global state to monitor configuration variables, including the loading of external entities. This global state is typically assumed to remain unchanged unless explicitly modified by the user through specific functions.

However, because this state is shared across the entire process, other modules, such as ImageMagick, operating within the same process may also interact with this library and modify the global state for their own internal purposes. Consequently, the global state may be left where external entity loading remains enabled.

This situation can result in the unintended parsing of external XML files with loaded external entities, potentially exposing sensitive local files accessible to PHP. This vulnerable state may persist across multiple requests within the same process until the process is terminated.



A potential security issue arises during the loading of phar files. Specifically, when reading PHAR (PHP Archive) directory entries, inadequate length validation may trigger a stack buffer overflow. This overflow has the potential to result in memory corruption or even enable Remote Code Execution (RCE) attacks.


PHP Extended Lifecycle Support

Every codebase, including PHP, has vulnerabilities. Consequently, your websites may face application attacks and exploitation attempts. When a manufacturer discontinues a product, they stop providing support for your current PHP version. Tuxcare’s PHP Extended Lifecycle Support offers a quick solution by providing ongoing security updates, even after the official support has ended.

TuxCare has already released the security patch for the above vulnerabilities for their extended lifecycle support Linux distributions, including CentOS 6, CentOS 8.4, CentOS 8.5, CloudLinux6, Oracle Linux 6, Ubuntu 16.04, and Ubuntu 18.04.

Additionally, PHP Extended Lifecycle Support offers exceptional flexibility by enabling the side-by-side operation of multiple PHP versions on the same system. This feature empowers you to host multiple websites running on distinct PHP versions without encountering compatibility issues. Read more here.


The sources for this article include a story from LinuxSecurity.

Two Critical PHP Vulnerabilities Fixed
Article Name
Two Critical PHP Vulnerabilities Fixed
Two critical PHP vulnerabilities have been addressed that could allow an attacker to steal sensitive information and execute arbitrary code.
Publisher Name
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started




Linux & Open Source

Subscribe to
our newsletter