이 블로그를 정기적으로 읽고 계신다면 해결되지 않은 보안 취약점이 사이버 공격의 문을 열어준다는 사실을 이미 알고 계실 것입니다. 또한 이러한 취약점 중 일부를 수정하는 것이 얼마나 어려운지도 잘 알고 계실 것입니다. 예를 들어, 이전 버전의 프로그래밍 언어에 취약점이 있는데 중요한 워크로드에 여전히 이전 언어 버전에 의존하고 있는 경우를 들 수 있습니다.

다행히도 이러한 문제를 해결하기 위해 새로운 PHP Lifecycle 연장 지원이라는 중요한 도구를 통해 구형 PHP 앱을 안전하게 실행할 수 있도록 도와드리고 있습니다. 이제 막 출시되었으며 이미 수백 가지의 PHP 보안 문제를 해결할 수 있습니다. 지금 바로 살펴보세요.

PHP Lifecycle 연장 지원(ELS)이란 무엇인가요?

PHP는 기술 스택의 다른 구성 요소와 마찬가지로 시간이 지남에 따라 취약점이 누적됩니다. 새로운 결함이 발견되면 결국 야생에서 악용되고 해커는 이러한 악용을 통해 네트워크에 액세스하기 시작하여 시스템에 알려진 취약점이 있는지 조사합니다. 즉, 모든 새 버전의 PHP는 알려진 취약점에 대한 수정 사항을 제공합니다.

이러한 취약점을 수정하는 것이 중요한 이유는 수정되지 않은 수백 개의 취약점이 누적되면 거대한 보안 구멍이 되기 때문입니다. 취약점이 특정 버전의 PHP(예: PHP 5.5)에 있는 경우 이를 수정하는 유일한 방법은 PHP 버전을 업그레이드하는 것입니다. 하지만 언어 버전을 변경하면 코드를 크게 조정해야 하는 경우가 많기 때문에 이 과정이 간단하지 않은 경우가 많습니다.

PHP Lifecycle 연장 지원은 언어 패키지에서 직접 언어 수준에서 보안 문제를 해결하여 PHP 코드를 지원합니다. 하지만 해당 언어의 작동 방식은 변경하지 않습니다. 즉, 앱의 코드를 변경하지 않고 앱이 중단될 위험 없이 보안 취약점을 수정할 수 있습니다.

현재 저희 PHP ELS 서비스는 이미 여러 버전에 걸쳐 매우 광범위한 취약점 목록을 커버하고 있습니다. 예를 들어, PHP 5.5는 비교적 오래된 버전임에도 불구하고 여전히 일반적으로 사용되고 있으며, TuxCare PHP ELS는 220개 이상의 취약점에 대한 패치가 가능합니다.

정말 필요한가요....?

스스로에게 간단한 질문을 던져보세요. 오래된 버전의 PHP를 사용하고 계신가요? 아직 PHP 5.5를 사용하고 있다고 가정해 봅시다. 이 언어 버전에는 수백 가지의 미해결 취약점이 있으며 이는 무시할 수 없는 수준입니다. 조직에서 업데이트된 버전의 PHP로 쉽게 전환할 수 없는 경우라면 당사의 PHP용 ELS 서비스에 대해 진지하게 고려해야 합니다.

게다가 시간이 지남에 따라 새로운 취약점이 식별되고 패치가 적용됨에 따라 기존 취약점 목록은 계속 늘어날 수밖에 없습니다. 다른 버전의 PHP도 비슷한 상황이지만 각 버전마다 다른 취약점이 영향을 미칩니다.

예를 들어, 여기 PHP 웹사이트에 설명된 버그를 살펴보겠습니다. 아래 목록의 첫 번째 버그는 특수하게 만들어진 코드가 사용자의 권한을 루트 권한까지 상승시키는 것으로, 이는 PHP의 결함 때문입니다. 이는 중대한 보안 위험이지만 TuxCare의 PHP ELS 덕분에 이 결함을 쉽게 수정하고 위험을 피할 수 있습니다.

아래에 나열한 모든 버그가 이에 해당합니다. 이 목록은 TuxCare의 PHP ELS가 이미 얼마나 효과적인지에 대한 인사이트를 제공하고, 야생에 존재하는 많은 PHP 취약점을 상기시키기 위해 제공합니다. 아래 나열된 버그 번호는 PHP 취약점 리포지토리인 https://bugs.php.net/bug.php 에 표시된 식별자를 참조합니다.

– Fix bug #81026: PHP-FPM oob R/W in root process leading to privilege escalation (CVE-2021-21703)
– Fix bug #79971: special character is breaking the path in xml function. (CVE-2021-21707)
– Fix bug #81305: Built-in Webserver Drops Requests With “Upgrade” Header.
– Fix bug #72595: php_output_handler_append illegal write access.
– Fix bug #81211: Symlinks are followed when creating PHAR archive.(cmb)in firebird_info_cb. (CVE-2021-21704)
– Fix bug #76449: SIGSEGV in firebird_handle_doer. (CVE-2021-21704)
– Fix bug #76450: SIGSEGV in firebird_stmt_execute. (CVE-2021-21704)
– Fix bug #76452: Crash while parsing blob data in firebird_fetch_blob. (CVE-2021-21704)
– Fix bug #70091: Phar does not mark UTF-8 filenames in ZIP archives
– Fix bug #80719: Iterating after failed ArrayObject::setIteratorClass() causes Segmentation fault
– Fix bug #75850: Unclear error message wrt. __halt_compiler() w/o semicolon
– Fix bug #73533: Invalid memory access in php_libxml_xmlCheckUTF8
– Fix bug #66783: UAF when appending DOMDocument to element
– Fix bug #80672: Null Dereference in SoapClient. (CVE-2021-21702)
– Fix bug #73809: Phar Zip parse crash – mmap fail
– Fix bug #80366: Potential issue in ext/standard/iptc.c: Return Value Not Checked
– Fix bug #79699: PHP parses encoded cookie names so malicious `__Host-` cookies can be sent (CVE-2020-7070)
– Fix bug #80007: Potential type confusion in unixtojd() parameter parsing
– Fix bug #62890: default_socket_timeout=-1 causes connection to timeout
– Fix bug #70362: Can’t copy() large ‘data://’ with open_basedir
– Fix bug #73527: Invalid memory access in php_filter_strip
– Fix bug #74267: segfault with streams and invalid data
– Fix bug #79787: mb_strimwidth does not trim string
– Fix bug #79877: getimagesize function silently truncates after a null byte
– Fix bug #78221: DOMNode::normalize() doesn’t remove empty text nodes
– Fix bug #78875: Long variables cause OOM and temp files are not cleaned (CVE-2019-11048)
– Fix bug #78876: Long variables in multipart/form-data cause OOM and temp files are not cleaned (CVE-2019-11048)
– Fix bug #79497: stream_socket_client() throws an unknown error sometimes with <1s timeout
– Fix bug #79514: Memory leaks while including unexistent file
– Fix bug #79528: Different object of the same xml between 7.4.5 and 7.4.4
– Fix bug #61597: SXE properties may lack attributes and content
– Fix bug #74940: DateTimeZone loose comparison always true
– Fix bug #75673: SplStack::unserialize() behavior
– Fix bug #79200: Some iconv functions cut Windows-1258
– Fix bug #79296: ZipArchive::open fails on empty file
– Fix bug #79330: shell_exec() silently truncates after a null byte
– Fix bug #79364: When copy empty array, next key is unspecified
– Fix bug #79396: setting Date/Time during a forward DST transition
– Fix bug #79410: system() swallows last chunk if it is exactly 4095 bytes without newline
– Fix bug #79424: php_zip_glob uses gl_pathc after call to globfree
– Fix bug #79465: OOB Read in urldecode() (CVE-2020-7067)
– Fix bug #79078: Hypothetical use-after-free in curl_multi_add_handle
– Fix bug #79282: Use-of-uninitialized-value in exif (CVE-2020-7064)
– Fix bug #79329: get_headers silently truncates after a null byte (CVE-2020-7066)
– Fix bug #79037: global buffer-overflow in `mbfl_filt_conv_big5_wchar` (CVE-2020-7060)
– Fix bug #79082: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)
– Fix bug #79099: OOB read in php_strip_tags_ex (CVE-2020-7059)
– Fix bug #79221: Null Pointer Dereference in PHP Session Upload Progress (CVE-2020-7062)
– Fix bug #78793: Use-after-free in exif parsing under memory sanitizer
– Fix bug #78878: Buffer underflow in bc_shift_addsub. (CVE-2019-11046)
– Fix bug #78910: Heap-buffer-overflow READ in exif. (CVE-2019-11047)
– Fix bug #78863: DirectoryIterator class silently truncates after a nullbyte. (CVE-2019-11045)
– Fix bug #76342: file_get_contents waits twice specified timeout
– Fix bug #76859: stream_get_line skips data if used with data-generating filter
– Fix bug #78579: mb_decode_numericentity: args number inconsistency
– Fix bug #78599: env_path_info underflow can lead to RCE. (CVE-2019-11043)
– Fix bug #78380: Oniguruma 6.9.3 fixes CVEs. (CVE-2019-13224)
– Fix bug #69100: Bus error from stream_copy_to_stream
– Fix bug #75457: heap-use-after-free
– Fix bug #77946: Bad cURL resources returned by curl_multi_info_read
– Fix bug #78333: Exif crash (bus error) due to wrong alignment and invalid cast
– Fix bug #78342: Bus error in configure test for iconv //IGNORE
– Fix bug #78363: Buffer overflow in zendparse
– Fix bug #77124: FTP with SSL memory leak
– Fix bug #78192: PDO SQLite SegFault when reuse statement after schema has changed
– Fix bug #78212: Segfault in built-in webserver
– Fix bug #78222: heap-buffer-overflow on exif_scan_thumbnail
– Fix bug #78256: heap-buffer-overflow on exif_process_user_comment
– Fix bug #78279: libxml_disable_entity_loader settings is shared between requests (cgi-fcgi)
– Fix bug #78291: Missing opcache directives
– Fix bug #77967: Bypassing open_basedir restrictions via file uris
– Fix bug #77973: Uninitialized read in gdImageCreateFromXbm
– Fix bug #77988: heap-buffer-overflow on php_jpg_get16
– Fix bug #78069: Out-of-bounds read in iconv.c:_php_iconv_mime_decode() due to integer overflow
– Fix bug #50020: DateInterval:createDateFromString() silently fails
– Fix bug #76717: var_export() does not create a parsable value for PHP_INT_MIN
– Fix bug #77024: SplFileObject::__toString() may return array
– Fix bug #77664: Segmentation fault when using undefined constant in custom wrapper
– Fix bug #77677: WCOREDUMP not available on all systems
– Fix bug #77697: Crash on Big_Endian platform
– Fix bug #77700: Writing truecolor images as GIF ignores interlace flag
– Fix bug #77722: Incorrect IP set to $_SERVER[‘REMOTE_ADDR’] on the localhost
– Fix bug #77742: bcpow() implementation related to gcc compiler optimization
– Fix bug #77765: FTP stream wrapper should set the directory as executable
– Fix bug #77921: static.php.net doesn’t work anymore
– Fix bug #77934: php-fpm kill -USR2 not working
– Fix bug #77943: imageantialias($image, false); does not work
– Fix bug #77944: Wrong meta pdo_type for bigint on LLP64
– Fix bug #77945: Segmentation fault when constructing SoapClient with WSDL_CACHE_BOTH
– Fix bug #51068: glob:// do not support current path relative
– Fix bug #77390: feof might hang on TLS streams in case of fragmented TLS records)
– Fix bug #77396: Null Pointer Dereference in phar_create_or_parse_filename
– Fix bug #77431: SplFileInfo::__construct() accepts NUL bytes
– Fix bug #77540: Invalid Read on exif_process_SOFn
– Fix bug #77546: iptcembed broken function
– Fix bug #77563: Uninitialized read in exif_process_IFD_in_MAKERNOTE
– Fix bug #77586: phar_tar_writeheaders_int() buffer overflow
– Fix bug #77630: safer rename() procedure
– Fix bug #77242: heap out of bounds read in xmlrpc_decode()
– Fix bug #77247: heap buffer overflow in phar_detect_phar_fname_ext
– Fix bug #77269: Potential unsigned underflow in gdImageScale
– Fix bug #77270: imagecolormatch Out Of Bounds Write on Heap
– Fix bug #77371: heap buffer overflow in mb regex functions – compile_string_node
– Fix bug #77380: Global out of bounds read in xmlrpc base64 code
– Fix bug #77418: Heap overflow in utf32be_mbc_to_code
– Fix bug #66828: iconv_mime_encode Q-encoding longer than it should be
– Fix bug #76800: foreach inconsistent if array modified during loop)
– Fix bug #76901: method_exists on SPL iterator passthrough method corrupts memory
– Fix bug #76480: Use curl_multi_wait() so that timeouts are respected
– Fix bug #76832: ZendOPcache.MemoryBase periodically deleted by the
– Fix bug #75696: posix_getgrnam fails to print details of group
– Fix bug #74454: Wrong exception being thrown when using ReflectionMethod
– Fix bug #73457: Wrong error message when fopen FTP wrapped fails to open data connection
– Fix bug #74764: and add a test case
– Fix bug #76886: Can’t build xmlrpc with expat
– Fix bug #75273: php_zlib_inflate_filter() may not update bytes_consumed
– Fix bug #76505: array_merge_recursive() is duplicating sub-array keys
– Fix bug #76532: excessive memory usage in mb_strimwidth
– Fix bug #76548: pg_fetch_result did not fetch the next row
– Fix bug #76488: Memory leak when fetching a BLOB field
– Fix bug #73817: Incorrect entries in get_html_translation_table
– Fix bug #52974: jewish.c: compile error under Windows with GBK charset
– Fix bug #76665: SQLite3Stmt::bindValue() with SQLITE3_FLOAT doesn’t juggle
– Fix bug #75402: Possible Memory Leak using PDO::CURSOR_SCROLL option
– Fix bug #76335: “link(): Bad file descriptor” with non-ASCII path
– Fix bug #76704: mb_detect_order return value varies based on argument type
– Fix bug #72443: Generate enabled extension
– Fix bug #65988: Zlib version check fails
– Fix bug #68175: RegexIterator pregFlags are NULL instead of 0
– Fix bug #76296: openssl_pkey_get_public does not respect open_basedir
– Fix bug #68825: Exception in DirectoryIterator::getLinkTarget()
– Fix bug #55146: iconv_mime_decode_headers() skips some headers
– Fix bug #63839: iconv_mime_decode_headers function is skipping headers
– Fix bug #60494: iconv_mime_decode does ignore special characters
– Fix bug #68180: iconv_mime_decode can return extra characters in a header
– Fix bug #76367: NoRewindIterator segfault 11
– Fix bug #76383: array_map on $GLOBALS returns IS_INDIRECT
– Fix bug #73342: Vulnerability in php-fpm by changing stdin to non-blocking
– Fix bug #76130: Heap Buffer Overflow (READ: 1786) in exif_iif_add_value
– Fix bug #76249: Stream filter convert.iconv leads to infinite loop on invalid sequence
– Fix bug #76248: LDAP-Server Response causes Crash
– Fix bug #76129: (CVE-2018-10547) Reflected XSS on the PHAR 403 and 404 error pages via request data of a request for a .phar file
– Fix bug #75981: Stack-buffer-overflow while parsing HTTP response
– Fix bug #75571: Potential infinite loop in gdImageCreateFromGifCtx
– Fix bug #74782: Reflected XSS in .phar 404 page
– Fix bug #74145: wddx parsing empty boolean tag leads to SIGSEGV (CVE-2017-11143)
– Fix bug #74651: negative-size-param (-1) in memcpy in zif_openssl_seal() (CVE-2017-11144)
– Fix bug #74819: wddx_deserialize() heap out-of-bound read via php_parse_date() (CVE-2017-11145)
– Fix bug #74435: Buffer over-read into uninitialized memory (CVE-2017-7890)
– Fix bug CVE-2017-9224: Buffer Overflow in match_at() (Oniguruma issue)
– Fix bug CVE-2017-9226: Heap corruption in next_state_val() in 15 encodings (Oniguruma issue)
– Fix bug CVE-2017-9227: Bug in mbc_enc_len() (Oniguruma issue)
– Fix bug CVE-2017-9228: Heap corruption in next_state_val() due to uninitialized local variable (Oniguruma issue)
– Fix bug CVE-2017-9229: SIGSEGV in left_adjust_char_head() due to bad dereference (Oniguruma issue)
– Fix bug #74087: Segmentation fault in PHP7.1.1(compiled using the bundled PCRE library)
– Fix bug #74603: PHP INI Parsing Stack Buffer Overflow Vulnerability
– Fix bug #69090: opcache: add prefix/xor to cache keys/check permissions or separate caches
– Fix bug #72627: Memory Leakage In exif_process_IFD_in_TIFF (CVE-2016-7128)
– Fix bug #73764: Crash while loading hostile phar archive (CVE-2016-10159)
– Fix bug #73768: Memory corruption when loading hostile phar (CVE-2016-10160)
– Fix bug #73825: Heap out of bounds read on unserialize in finish_nested_data() (CVE-2016-10161)
– Fix bug #68447: grapheme_extract take an extra trailing character
– Fix bug #70213: Unserialize context shared on double class lookup
– Fix bug #73549: Use after free when stream is passed to imagepng
– Fix bug #73737: FPE when parsing a tag format (CVE-2016-10158)
– Fix bug #73773: Seg fault when loading hostile phar
– Fix bug #73868: Fix DOS vulnerability in gdImageCreateFromGd2Ctx()
– Fix bug #73869: Signed Integer Overflow gd_io.c
– Fix bug #73452: Segfault (Regression for #69152)
– Fix bug #73631: Invalid read when wddx decodes empty boolean element
– Fix bug #73356: crash in bzcompress function
– Fix bug CVE-2016-8670: Stack Buffer Overflow in GD dynamicGetbuf
– Fix bug #72482: Illegal write/read access caused by gdImageAALine overflow
– Fix bug #72696: imagefilltoborder stackoverflow on truecolor images
– Fix bug #73418: Integer Overflow in “_php_imap_mail” leads Heap Overflow
– Fix bug #73144: Use-after-free in ArrayObject Deserialization
– Fix bug #73192: parse_url return wrong hostname
– Fix bug #73331: NULL Pointer Dereference in WDDX Packet Deserialization with PDORow
– Fix bug #73189: Memcpy negative size parameter php_resolve_path
– Fix bug #73147: Use After Free in unserialize()
– Fix bug #73190: memcpy negative parameter _bc_new_num_ex
– Fix bug #73150: missing NULL check in dom_document_save_html
– Fix bug #73284: heap overflow in php_ereg_replace function
– Fix bug CVE-2016-7568: Integer Overflow in gdImageWebpCtx of gd_webp.c
– Fix bug #73218: stack-buffer-overflow through “ResourceBundle” methods
– Fix bug #73208: integer overflow in imap_8bit caused heap corruption
– Fix bug #73082: string length overflow in mb_encode_* function
– Fix bug #73174: heap overflow in php_pcre_replace_impl
– Fix bug #73276: crash in openssl_random_pseudo_bytes function
– Fix bug #73275: crash in openssl_encrypt function
– Fix bug #73017: memory corruption in wordwrap function
– Fix bug #73240: Write out of bounds at number_format
– Fix bug #73073: CachingIterator null dereference when convert to string
– Fix bug #73293: NULL pointer dereference in SimpleXMLElement::asXML()
– Fix bug #73052: CVE-2016-7411: Memory Corruption in During Deserialized-object Destruction
– Fix bug #72293: CVE-2016-7412: Heap overflow in mysqlnd related to BIT fields
– Fix bug #72860: CVE-2016-7413: wddx_deserialize use-after-free
– Fix bug #72928: CVE-2016-7414: Out of bound when verify signature of zip phar in phar_parse_zipfile
– Fix bug #73007: CVE-2016-7416: SEH buffer overflow msgfmt_format_message
– Fix bug CVE-2016-7417: Missing type check when unserializing SplArray
– Fix bug CVE-2016-7418: Out-Of-Bounds Read in php_wddx_push_element of wddx.c
– Fix bug #72837: integer overflow in bzdecompress caused heap corruption (bz2)
– Fix bug #70436: Use After Free Vulnerability in unserialize() (core)
– Fix bug #72024: microtime() leaks memory (core)
– Fix bug #72633: Create an Unexpected Object and Don’t Invoke __wakeup() in Deserialization (core)
– Fix bug #72681: PHP Session Data Injection Vulnerability (core)
– Fix bug #72807: integer overflow in curl_escape caused heap corruption (curl)
– Fix bug #72838: Integer overflow lead to heap corruption in sql_regcase (ereg)
– Fix bug #72697: select_colors write out-of-bounds (gd)
– Fix bug #72730: imagegammacorrect allows arbitrary write access (gd)
– Fix bug #72708: php_snmp_parse_oid integer overflow in memory allocation (snmp)
– Fix bug #72836: integer overflow in base64_decode caused heap corruption (standard)
– Fix bug #72848: integer overflow in quoted_printable_encode caused heap corruption (standard)
– Fix bug #72849: integer overflow in urlencode caused heap corruption (standard)
– Fix bug #72850: integer overflow in php_uuencode caused heap corruption (standard)
– Fix bug #72771: ftps:// wrapper is vulnerable to protocol downgrade attack (streams)
– Fix bug #72749: wddx_deserialize allows illegal memory access (wddx)
– Fix bug #72750: wddx_deserialize null dereference (wddx)
– Fix bug #72790: wddx_deserialize null dereference with invalid xml (wddx)
– Fix bug #72799: wddx_deserialize null dereference in php_wddx_pop_element (wddx)
– Fix bug #69288: Regression introduced in fix for bug 69085 leads to a segmentation fault

모든 이전 버전의 PHP에는 취약점이 있습니다. 위에서 볼 수 있듯이 수백 가지의 취약점이 있을 수 있습니다. 하지만 일부 애플리케이션의 경우 해당 PHP 버전에 갇혀 있을 수 있으며, 이는 매우 곤란한 상황입니다.

다행히도 TuxCare의 PHP 보안 수정 사항을 워크로드에 적용하는 방법은 간단합니다. 최신 보안 수정 사항이 포함된 패키지 세트를 제공하지만 필요한 특정 PHP 버전과 호환되도록 백포트되어 있습니다.

패키지 몇 개만 교체하면 이전 PHP 버전도 완벽하게 지원됩니다. TuxCare의 PHP ELS를 테스트하고 싶으신가요? 지금 바로 전문가와 상담하세요!