Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for a denial-of-service condition. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow could allow an attacker to crash the PHP process. This could allow for a denial-of-service condition once the process stops running.
THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
PHP 7.2 Prior to Version 7.2.3
PHP 7.2.4 Prior to Version 7.3.17
PHP 7.3.2 Prior to Version 7.4.5
Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for a denial-of-service condition. Details of these vulnerabilities are as below:
Version 7.2.30:
- Bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).
- Bug #79330 (shell_exec() silently truncates after a null byte).
- Bug #79465 (OOB Read in urldecode()).
Version 7.3.17:
- Bug #79364 (When copy empty array, next key is unspecified).
- Bug #78210 (Invalid pointer address).
- Bug #79199 (curl_copy_handle() memory leak).
- Bug #79396 (DateTime hour incorrect during DST jump forward).
- Bug #79200 (Some iconv functions cut Windows-1258).
- Bug #79412 (Opcache chokes and uses 100% CPU on specific script).
- Bug #79413 (session_create_id() fails for active sessions).
- Bug #79427 (Integer Overflow in shmop_open()).
- Bug #61597 (SXE properties may lack attributes and content).
- Bug #75673 (SplStack::unserialize() behavior).
- Bug #79393 (Null coalescing operator failing with SplFixedArray).
- Bug #79330 (shell_exec() silently truncates after a null byte).
- Bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
- Bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline).
- Bug #79296 (ZipArchive::open fails on empty file).
- Bug #79424 (php_zip_glob uses gl_pathc after call to globfree).
Version 7.3.18:
- Bug #78875 (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
- Bug #78876 (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
- Bug #79434 (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant).
- Bug #79477 (casting object into array creates references).
- Bug #79470 (PHP incompatible with 3rd party file system on demand).
- Bug #78784 (Unable to interact with files inside a VFS for Git repository).
- Bug #78221 (DOMNode::normalize() doesn't remove empty text nodes).
- Bug #79491 (Search for .user.ini extends up to root dir).
- Bug #79441 (Segfault in mb_chr() if internal encoding is unsupported).
- Bug #79497 (stream_socket_client() throws an unknown error sometimes with <1s timeout).
- Bug #79503 (Memory leak on duplicate metadata).
- Bug #79528 (Different object of the same xml between 7.4.5 and 7.4.4).
- Bug #79468 (SIGSEGV when closing stream handle with a stream filter appended).
Version 7.4.5:
- Bug #79364 (When copy empty array, next key is unspecified).
- Bug #78210 (Invalid pointer address)
- Bug #79199 (curl_copy_handle() memory leak).
- bug #79396 (DateTime hour incorrect during DST jump forward).
- bug #74940 (DateTimeZone loose comparison always true).
- Bug #79200 (Some iconv functions cut Windows-1258).
- Bug #79412 (Opcache chokes and uses 100% CPU on specific script).
- Bug #79413 (session_create_id() fails for active sessions).
- Bug #79427 (Integer Overflow in shmop_open()).
- Bug #61597 (SXE properties may lack attributes and content).
- Bug #79357 (SOAP request segfaults when any request parameter is missing).
- Bug #75673 (SplStack::unserialize() behavior).
- Bug #79393 (Null coalescing operator failing with SplFixedArray).
- Bug #79330 (shell_exec() silently truncates after a null byte).
- Bug #79410 (system() swallows last chunk if it is exactly 4095 bytes without newline).
- Bug #79465 (OOB Read in urldecode()). (CVE-2020-7067)
- Bug #79296 (ZipArchive::open fails on empty file).
- Bug #79424 (php_zip_glob uses gl_pathc after call to globfree).
Successfully exploiting the most severe of these vulnerabilities could allow could allow an attacker to crash the PHP process. This could allow for a denial-of-service condition once the process stops running.
- After appropriate testing, immediately apply upgrade to the latest version of PHP.
- Verify no unauthorized system modifications have occurred on system before applying patch.
- Apply the principle of Least Privilege to all systems and services.
- Remind users not to visit websites or follow links provided by unknown or untrusted sources.