Two Critical PHP Vulnerabilities Fixed
Recently, two critical security vulnerabilities have been addressed in PHP that could allow an attacker to steal sensitive information, cause a system crash, and execute arbitrary code in the affected machine. These vulnerabilities were caused by PHP’s improper handling of certain XML files (CVE-2023-3823) and certain PHAR files (CVE-2023-3824).
Both vulnerabilities were found in PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8. The new PHP updates have been made available to fix these high-severity vulnerabilities. Therefore, updating to the latest version as soon as possible is crucial to keep your system safe from risks associated with these exploitable vulnerabilities.
PHP Vulnerabilities Addressed
In PHP, various XML functions depend on the libxml global state to monitor configuration variables, including the loading of external entities. This global state is typically assumed to remain unchanged unless explicitly modified by the user through specific functions.
However, because this state is shared across the entire process, other modules, such as ImageMagick, operating within the same process may also interact with this library and modify the global state for their own internal purposes. Consequently, the global state may be left where external entity loading remains enabled.
This situation can result in the unintended parsing of external XML files with loaded external entities, potentially exposing sensitive local files accessible to PHP. This vulnerable state may persist across multiple requests within the same process until the process is terminated.
A potential security issue arises during the loading of phar files. Specifically, when reading PHAR (PHP Archive) directory entries, inadequate length validation may trigger a stack buffer overflow. This overflow has the potential to result in memory corruption or even enable Remote Code Execution (RCE) attacks.
PHP Extended Lifecycle Support
Every codebase, including PHP, has vulnerabilities. Consequently, your websites may face application attacks and exploitation attempts. When a manufacturer discontinues a product, they stop providing support for your current PHP version. Tuxcare’s PHP Extended Lifecycle Support offers a quick solution by providing ongoing security updates, even after the official support has ended.
TuxCare has already released the security patch for the above vulnerabilities for their extended lifecycle support Linux distributions, including CentOS 6, CentOS 8.4, CentOS 8.5, CloudLinux6, Oracle Linux 6, Ubuntu 16.04, and Ubuntu 18.04.
Additionally, PHP Extended Lifecycle Support offers exceptional flexibility by enabling the side-by-side operation of multiple PHP versions on the same system. This feature empowers you to host multiple websites running on distinct PHP versions without encountering compatibility issues. Read more here.
The sources for this article include a story from LinuxSecurity.