Support technique
Documentation
Connexion
Nous contacter
PHP ELS corrige des centaines de problèmes de sécurité lors de son lancement
DeShea Witcher
9 août 2022 - Vice-président du marketing
Si vous lisez régulièrement ce blog, vous savez déjà que les failles de sécurité non corrigées ouvrent la porte aux cyberattaques. Vous savez également à quel point il est difficile de corriger certaines de ces vulnérabilités. Par exemple, lorsqu'une vulnérabilité se trouve dans une ancienne version d'un langage de programmation et que vous vous appuyez toujours sur cette ancienne version pour des charges de travail importantes.
Heureusement, c'est le défi que nous relevons avec notre nouveau support étendu du cycle de vie de PHP - un outil essentiel qui vous aide à exécuter vos anciennes applications PHP en toute sécurité. Il vient d'être déployé et vous pouvez déjà résoudre des centaines de problèmes de sécurité PHP grâce à lui. Voyons cela de plus près.
Qu'est-ce que le support étendu du cycle de vie de PHP (ELS) ?
PHP, comme tout autre composant de la pile technologique, accumule les vulnérabilités au fil du temps. Les nouvelles failles qui apparaissent sont finalement exploitées dans la nature, et les pirates commencent à s'appuyer sur ces exploits pour accéder aux réseaux - en sondant les systèmes pour détecter la présence d'une vulnérabilité connue. Cela dit, chaque nouvelle version de PHP apporte des correctifs aux vulnérabilités connues.
La correction de ces vulnérabilités est essentielle car, cumulativement, des centaines de vulnérabilités non corrigées constituent une énorme faille de sécurité. Lorsque la vulnérabilité se trouve dans une certaine version de PHP, par exemple PHP 5.5, la seule façon de la corriger est de mettre à niveau la version de PHP. Mais dans de nombreux cas, ce n'est pas un processus simple étant donné que les changements de version du langage peuvent nécessiter des ajustements importants du code.
Le support étendu du cycle de vie de PHP fournit un support à votre code PHP en corrigeant les problèmes de sécurité au niveau du langage - directement dans le paquetage du langage. Cependant, il le fait sans changer la façon dont le langage fonctionne. Cela signifie que vous corrigez les vulnérabilités de sécurité sans modifier le code de vos applications et sans risquer de les casser.
Actuellement, notre service PHP ELS couvre déjà une très large liste de vulnérabilités, sur plusieurs versions différentes. Par exemple, PHP 5.5 est encore couramment utilisé même s'il s'agit d'une version relativement ancienne de PHP - et TuxCare PHP ELS peut le corriger pour plus de 220 vulnérabilités.
En ai-je vraiment besoin.... ?
Posez-vous cette simple question : utilisez-vous une version obsolète de PHP ? Disons que vous utilisez toujours PHP 5.5. Il s'agit d'une version du langage qui présente quelques centaines de vulnérabilités non corrigées, ce que vous ne pouvez ignorer. Si votre organisation ne peut pas facilement passer à une version actualisée de PHP, vous devriez sérieusement envisager notre service ELS pour PHP.
De plus, au fil du temps, la liste des vulnérabilités existantes ne fera que s'allonger, à mesure que de nouvelles seront identifiées et corrigées. Pour les autres versions de PHP, la situation est similaire, mais des vulnérabilités différentes affectent chaque version.
Prenons l'exemple du bogue décrit ici sur le site Web de PHP. C'est le premier de la liste ci-dessous, et il signifie qu'un code spécialement conçu élève les privilèges d'un utilisateur jusqu'à l'utilisateur root - et cela à cause d'une faille dans PHP. Il s'agit d'un risque de sécurité majeur, mais il est facile de corriger cette faille - et d'éviter ce risque - grâce à l'ELS PHP de TuxCare.
C'est vrai pour tous les bogues que nous listons ci-dessous. Nous fournissons cette liste pour vous donner un aperçu de l'efficacité de PHP ELS de TuxCare - et pour vous rappeler les nombreuses vulnérabilités PHP qui existent dans la nature. Les numéros de bogues listés ci-dessous font référence à l'identifiant indiqué sur https://bugs.php.net/bug.php qui est un référentiel des vulnérabilités PHP.
– Fix bug #81026: PHP-FPM oob R/W in root process leading to privilege escalation (CVE-2021-21703)
– Fix bug #79971: special character is breaking the path in xml function. (CVE-2021-21707)
– Fix bug #81305: Built-in Webserver Drops Requests With “Upgrade” Header.
– Fix bug #72595: php_output_handler_append illegal write access.
– Fix bug #81211: Symlinks are followed when creating PHAR archive.(cmb)in firebird_info_cb. (CVE-2021-21704)
– Fix bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704)
– Fix bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704)
– Fix bug #76452: Crash while parsing blob data in firebird_fetch_blob. (CVE-2021-21704)
– Fix bug #70091: Phar does not mark UTF-8 filenames in ZIP archives
– Fix bug #80719: Iterating after failed ArrayObject::setIteratorClass() causes Segmentation fault
– Fix bug #75850: Unclear error message wrt. __halt_compiler() w/o semicolon
– Fix bug #73533: Invalid memory access in php_libxml_xmlCheckUTF8
– Fix bug #66783: UAF when appending DOMDocument to element
– Fix bug #80672: Null Dereference in SoapClient. (CVE-2021-21702)
– Fix bug #73809: Phar Zip parse crash – mmap fail
– Fix bug #80366: Potential issue in ext/standard/iptc.c: Return Value Not Checked
– Fix bug #79699: PHP parses encoded cookie names so malicious `__Host-` cookies can be sent (CVE-2020-7070)
– Fix bug #80007: Potential type confusion in unixtojd() parameter parsing
– Fix bug #62890: default_socket_timeout=-1 causes connection to timeout
– Fix bug #70362: Can’t copy() large ‘data://’ with open_basedir
– Fix bug #73527: Invalid memory access in php_filter_strip
– Fix bug #74267: segfault with streams and invalid data
– Fix bug #79787: mb_strimwidth does not trim string
– Fix bug #79877: getimagesize function silently truncates after a null byte
– Fix bug #78221: DOMNode::normalize() doesn’t remove empty text nodes
– Fix bug #78875: Long variables cause OOM and temp files are not cleaned (CVE-2019-11048)
– Fix bug #78876: Long variables in multipart/form-data cause OOM and temp files are not cleaned (CVE-2019-11048)
– Fix bug #79497: stream_socket_client() throws an unknown error sometimes with <1s timeout
– Fix bug #79514: Memory leaks while including unexistent file
– Fix bug #79528: Different object of the same xml between 7.4.5 and 7.4.4
– Fix bug #61597: SXE properties may lack attributes and content
– Fix bug #74940: DateTimeZone loose comparison always true
– Fix bug #75673: SplStack::unserialize() behavior
– Fix bug #79200: Some iconv functions cut Windows-1258
– Fix bug #79296: ZipArchive::open fails on empty file
– Fix bug #79330: shell_exec() silently truncates after a null byte
– Fix bug #79364: When copy empty array, next key is unspecified
– Fix bug #79396: setting Date/Time during a forward DST transition
– Fix bug #79410: system() swallows last chunk if it is exactly 4095 bytes without newline
– Fix bug #79424: php_zip_glob uses gl_pathc after call to globfree
– Fix bug #79465: OOB Read in urldecode() (CVE-2020-7067)
– Fix bug #79078: Hypothetical use-after-free in curl_multi_add_handle
– Fix bug #79282: Use-of-uninitialized-value in exif (CVE-2020-7064)
– Fix bug #79329: get_headers silently truncates after a null byte (CVE-2020-7066)
– Fix bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` (CVE-2020-7060)
– Fix bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)
– Fix bug #79099: OOB read in php_strip_tags_ex (CVE-2020-7059)
– Fix bug #79221: Null Pointer Dereference in PHP Session Upload Progress (CVE-2020-7062)
– Fix bug #78793: Use-after-free in exif parsing under memory sanitizer
– Fix bug #78878: Buffer underflow in bc_shift_addsub. (CVE-2019-11046)
– Fix bug #78910: Heap-buffer-overflow READ in exif. (CVE-2019-11047)
– Fix bug #78863: DirectoryIterator class silently truncates after a nullbyte. (CVE-2019-11045)
– Fix bug #76342: file_get_contents waits twice specified timeout
– Fix bug #76859: stream_get_line skips data if used with data-generating filter
– Fix bug #78579: mb_decode_numericentity: args number inconsistency
– Fix bug #78599: env_path_info underflow can lead to RCE. (CVE-2019-11043)
– Fix bug #78380: Oniguruma 6.9.3 fixes CVEs. (CVE-2019-13224)
– Fix bug #69100: Bus error from stream_copy_to_stream
– Fix bug #75457: heap-use-after-free
– Fix bug #77946: Bad cURL resources returned by curl_multi_info_read
– Fix bug #78333: Exif crash (bus error) due to wrong alignment and invalid cast
– Fix bug #78342: Bus error in configure test for iconv //IGNORE
– Fix bug #78363: Buffer overflow in zendparse
– Fix bug #77124: FTP with SSL memory leak
– Fix bug #78192: PDO SQLite SegFault when reuse statement after schema has changed
– Fix bug #78212: Segfault in built-in webserver
– Fix bug #78222: heap-buffer-overflow on exif_scan_thumbnail
– Fix bug #78256: heap-buffer-overflow on exif_process_user_comment
– Fix bug #78279: libxml_disable_entity_loader settings is shared between requests (cgi-fcgi)
– Fix bug #78291: Missing opcache directives
– Fix bug #77967: Bypassing open_basedir restrictions via file uris
– Fix bug #77973: Uninitialized read in gdImageCreateFromXbm
– Fix bug #77988: heap-buffer-overflow on php_jpg_get16
– Fix bug #78069: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
– Fix bug #50020: DateInterval:createDateFromString() silently fails
– Fix bug #76717: var_export() does not create a parsable value for PHP_INT_MIN
– Fix bug #77024: SplFileObject::__toString() may return array
– Fix bug #77664: Segmentation fault when using undefined constant in custom wrapper
– Fix bug #77677: WCOREDUMP not available on all systems
– Fix bug #77697: Crash on Big_Endian platform
– Fix bug #77700: Writing truecolor images as GIF ignores interlace flag
– Fix bug #77722: Incorrect IP set to $_SERVER[‘REMOTE_ADDR’] on the localhost
– Fix bug #77742: bcpow() implementation related to gcc compiler optimization
– Fix bug #77765: FTP stream wrapper should set the directory as executable
– Fix bug #77921: static.php.net doesn’t work anymore
– Fix bug #77934: php-fpm kill -USR2 not working
– Fix bug #77943: imageantialias($image, false); does not work
– Fix bug #77944: Wrong meta pdo_type for bigint on LLP64
– Fix bug #77945: Segmentation fault when constructing SoapClient with WSDL_CACHE_BOTH
– Fix bug #51068: glob:// do not support current path relative
– Fix bug #77390: feof might hang on TLS streams in case of fragmented TLS records)
– Fix bug #77396: Null Pointer Dereference in phar_create_or_parse_filename
– Fix bug #77431: SplFileInfo::__construct() accepts NUL bytes
– Fix bug #77540: Invalid Read on exif_process_SOFn
– Fix bug #77546: iptcembed broken function
– Fix bug #77563: Uninitialized read in exif_process_IFD_in_MAKERNOTE
– Fix bug #77586: phar_tar_writeheaders_int() buffer overflow
– Fix bug #77630: safer rename() procedure
– Fix bug #77242: heap out of bounds read in xmlrpc_decode()
– Fix bug #77247: heap buffer overflow in phar_detect_phar_fname_ext
– Fix bug #77269: Potential unsigned underflow in gdImageScale
– Fix bug #77270: imagecolormatch Out Of Bounds Write on Heap
– Fix bug #77371: heap buffer overflow in mb regex functions – compile_string_node
– Fix bug #77380: Global out of bounds read in xmlrpc base64 code
– Fix bug #77418: Heap overflow in utf32be_mbc_to_code
– Fix bug #66828: iconv_mime_encode Q-encoding longer than it should be
– Fix bug #76800: foreach inconsistent if array modified during loop)
– Fix bug #76901: method_exists on SPL iterator passthrough method corrupts memory
– Fix bug #76480: Use curl_multi_wait() so that timeouts are respected
– Fix bug #76832: ZendOPcache.MemoryBase periodically deleted by the
– Fix bug #75696: posix_getgrnam fails to print details of group
– Fix bug #74454: Wrong exception being thrown when using ReflectionMethod
– Fix bug #73457: Wrong error message when fopen FTP wrapped fails to open data connection
– Fix bug #74764: and add a test case
– Fix bug #76886: Can’t build xmlrpc with expat
– Fix bug #75273: php_zlib_inflate_filter() may not update bytes_consumed
– Fix bug #76505: array_merge_recursive() is duplicating sub-array keys
– Fix bug #76532: excessive memory usage in mb_strimwidth
– Fix bug #76548: pg_fetch_result did not fetch the next row
– Fix bug #76488: Memory leak when fetching a BLOB field
– Fix bug #73817: Incorrect entries in get_html_translation_table
– Fix bug #52974: jewish.c: compile error under Windows with GBK charset
– Fix bug #76665: SQLite3Stmt::bindValue() with SQLITE3_FLOAT doesn’t juggle
– Fix bug #75402: Possible Memory Leak using PDO::CURSOR_SCROLL option
– Fix bug #76335: “link(): Bad file descriptor” with non-ASCII path
– Fix bug #76704: mb_detect_order return value varies based on argument type
– Fix bug #72443: Generate enabled extension
– Fix bug #65988: Zlib version check fails
– Fix bug #68175: RegexIterator pregFlags are NULL instead of 0
– Fix bug #76296: openssl_pkey_get_public does not respect open_basedir
– Fix bug #68825: Exception in DirectoryIterator::getLinkTarget()
– Fix bug #55146: iconv_mime_decode_headers() skips some headers
– Fix bug #63839: iconv_mime_decode_headers function is skipping headers
– Fix bug #60494: iconv_mime_decode does ignore special characters
– Fix bug #68180: iconv_mime_decode can return extra characters in a header
– Fix bug #76367: NoRewindIterator segfault 11
– Fix bug #76383: array_map on $GLOBALS returns IS_INDIRECT
– Fix bug #73342: Vulnerability in php-fpm by changing stdin to non-blocking
– Fix bug #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
– Fix bug #76249: Stream filter convert.iconv leads to infinite loop on invalid sequence
– Fix bug #76248: LDAP-Server Response causes Crash
– Fix bug #76129: (CVE-2018-10547) Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file
– Fix bug #75981: Stack-buffer-overflow while parsing HTTP response
– Fix bug #75571: Potential infinite loop in gdImageCreateFromGifCtx
– Fix bug #74782: Reflected XSS in .phar 404 page
– Fix bug #74145: wddx parsing empty boolean tag leads to SIGSEGV (CVE-2017-11143)
– Fix bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal() (CVE-2017-11144)
– Fix bug #74819: wddx_deserialize() heap out-of-bound read via php_parse_date() (CVE-2017-11145)
– Fix bug #74435: Buffer over-read into uninitialized memory (CVE-2017-7890)
– Fix bug CVE-2017-9224: Buffer Overflow in match_at() (Oniguruma issue)
– Fix bug CVE-2017-9226: Heap corruption in next_state_val() in 15 encodings (Oniguruma issue)
– Fix bug CVE-2017-9227: Bug in mbc_enc_len() (Oniguruma issue)
– Fix bug CVE-2017-9228: Heap corruption in next_state_val() due to uninitialized local variable (Oniguruma issue)
– Fix bug CVE-2017-9229: SIGSEGV in left_adjust_char_head() due to bad dereference (Oniguruma issue)
– Fix bug #74087: Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)
– Fix bug #74603: PHP INI Parsing Stack Buffer Overflow Vulnerability
– Fix bug #69090: opcache: add prefix/xor to cache keys/check permissions or separate caches
– Fix bug #72627: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)
– Fix bug #73764: Crash while loading hostile phar archive (CVE-2016-10159)
– Fix bug #73768: Memory corruption when loading hostile phar (CVE-2016-10160)
– Fix bug #73825: Heap out of bounds read on unserialize in finish_nested_data() (CVE-2016-10161)
– Fix bug #68447: grapheme_extract take an extra trailing character
– Fix bug #70213: Unserialize context shared on double class lookup
– Fix bug #73549: Use after free when stream is passed to imagepng
– Fix bug #73737: FPE when parsing a tag format (CVE-2016-10158)
– Fix bug #73773: Seg fault when loading hostile phar
– Fix bug #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
– Fix bug #73869: Signed Integer Overflow gd_io.c
– Fix bug #73452: Segfault (Regression for #69152)
– Fix bug #73631: Invalid read when wddx decodes empty boolean element
– Fix bug #73356: crash in bzcompress function
– Fix bug CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf
– Fix bug #72482: Illegal write/read access caused by gdImageAALine overflow
– Fix bug #72696: imagefilltoborder stackoverflow on truecolor images
– Fix bug #73418: Integer Overflow in “_php_imap_mail” leads Heap Overflow
– Fix bug #73144: Use-after-free in ArrayObject Deserialization
– Fix bug #73192: parse_url return wrong hostname
– Fix bug #73331: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
– Fix bug #73189: Memcpy negative size parameter php_resolve_path
– Fix bug #73147: Use After Free in unserialize()
– Fix bug #73190: memcpy negative parameter _bc_new_num_ex
– Fix bug #73150: missing NULL check in dom_document_save_html
– Fix bug #73284: heap overflow in php_ereg_replace function
– Fix bug CVE-2016-7568: Integer Overflow in gdImageWebpCtx of gd_webp.c
– Fix bug #73218: stack-buffer-overflow through “ResourceBundle” methods
– Fix bug #73208: integer overflow in imap_8bit caused heap corruption
– Fix bug #73082: string length overflow in mb_encode_* function
– Fix bug #73174: heap overflow in php_pcre_replace_impl
– Fix bug #73276: crash in openssl_random_pseudo_bytes function
– Fix bug #73275: crash in openssl_encrypt function
– Fix bug #73017: memory corruption in wordwrap function
– Fix bug #73240: Write out of bounds at number_format
– Fix bug #73073: CachingIterator null dereference when convert to string
– Fix bug #73293: NULL pointer dereference in SimpleXMLElement::asXML()
– Fix bug #73052: CVE-2016-7411: Memory Corruption in During Deserialized-object Destruction
– Fix bug #72293: CVE-2016-7412: Heap overflow in mysqlnd related to BIT fields
– Fix bug #72860: CVE-2016-7413: wddx_deserialize use-after-free
– Fix bug #72928: CVE-2016-7414: Out of bound when verify signature of zip phar in phar_parse_zipfile
– Fix bug #73007: CVE-2016-7416: SEH buffer overflow msgfmt_format_message
– Fix bug CVE-2016-7417: Missing type check when unserializing SplArray
– Fix bug CVE-2016-7418: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
– Fix bug #72837: integer overflow in bzdecompress caused heap corruption (bz2)
– Fix bug #70436: Use After Free Vulnerability in unserialize() (core)
– Fix bug #72024: microtime() leaks memory (core)
– Fix bug #72633: Create an Unexpected Object and Don’t Invoke __wakeup() in Deserialization (core)
– Fix bug #72681: PHP Session Data Injection Vulnerability (core)
– Fix bug #72807: integer overflow in curl_escape caused heap corruption (curl)
– Fix bug #72838: Integer overflow lead to heap corruption in sql_regcase (ereg)
– Fix bug #72697: select_colors write out-of-bounds (gd)
– Fix bug #72730: imagegammacorrect allows arbitrary write access (gd)
– Fix bug #72708: php_snmp_parse_oid integer overflow in memory allocation (snmp)
– Fix bug #72836: integer overflow in base64_decode caused heap corruption (standard)
– Fix bug #72848: integer overflow in quoted_printable_encode caused heap corruption (standard)
– Fix bug #72849: integer overflow in urlencode caused heap corruption (standard)
– Fix bug #72850: integer overflow in php_uuencode caused heap corruption (standard)
– Fix bug #72771: ftps:// wrapper is vulnerable to protocol downgrade attack (streams)
– Fix bug #72749: wddx_deserialize allows illegal memory access (wddx)
– Fix bug #72750: wddx_deserialize null dereference (wddx)
– Fix bug #72790: wddx_deserialize null dereference with invalid xml (wddx)
– Fix bug #72799: wddx_deserialize null dereference in php_wddx_pop_element (wddx)
– Fix bug #69288: Regression introduced in fix for bug 69085 leads to a segmentation fault
Toute ancienne version de PHP comporte des vulnérabilités. Comme vous pouvez le voir ci-dessus, il peut y avoir des centaines de vulnérabilités. Mais oui, vous pourriez être coincé avec cette version de PHP pour certaines de vos applications, et c'est une position difficile à prendre.
Heureusement, appliquer les correctifs de sécurité PHP de TuxCare à une charge de travail est simple. Nous fournissons un ensemble de paquets contenant les derniers correctifs de sécurité mais rétroportés pour être compatibles avec la version spécifique de PHP dont vous avez besoin.
Il suffit de changer quelques paquets pour que votre ancienne version de PHP soit entièrement prise en charge. Vous voulez tester PHP ELS de TuxCare ? Parlez-en à un expert dès aujourd'hui!
