### #PHPUpdates #SecurityPatches #VulnerabilityManagement
Summary: The PHP development team has issued critical security updates to address multiple vulnerabilities in versions prior to 8.1.31, 8.2.26, and 8.3.14, some of which could lead to severe security breaches. Users are strongly urged to upgrade to the latest versions to mitigate these risks.
Threat Actor: Unknown | unknown
Victim: PHP Users | PHP Users
Key Point :
- Critical vulnerabilities include CVE-2024-8932, allowing out-of-bounds access in ldap_escape with a CVSS score of 9.8.
- CVE-2024-8929 enables attackers to leak heap content through a buffer over-read, potentially via a fake MySQL server.
- Additional vulnerabilities addressed include integer overflows and CRLF injection risks that could lead to information leakage or denial-of-service attacks.
- The PHP project strongly recommends immediate updates to prevent exploitation of these vulnerabilities.
The PHP development team has released urgent security updates to address multiple vulnerabilities affecting versions prior to 8.1.31, 8.2.26, and 8.3.14. These vulnerabilities range in severity, with some potentially allowing attackers to leak sensitive information, execute arbitrary code, or launch denial-of-service attacks.
One of the most serious vulnerabilities, CVE-2024-8932, allows for out-of-bounds (OOB) access in the ldap_escape function. This vulnerability, with a CVSS score of 9.8, could enable attackers to execute arbitrary code on affected systems.
“Uncontrolled long string inputs to ldap_escape on 32-bit systems can cause an integer overflow, resulting in an out-of-bounds write,” the advisory warns.
Another critical flaw, CVE-2024-8929, allows attackers to leak partial content of the heap through a heap buffer over-read. This vulnerability can be exploited by connecting to a fake MySQL server or by tampering with network packets. “Using PHP-FPM which stays alive between requests, and between two different SQL query requests…one is able to extract the response content of the previous MySQL request from the PHP-FPM worker,” the advisory explains. A proof-of-concept exploit demonstrated how a fake MySQL server could manipulate packet headers to extract residual buffer data.
In addition to these critical vulnerabilities, the update also addresses several other issues, including:
- CVE-2024-11233: A single byte overread with the convert.quoted-printable-decode filter, potentially leading to information leakage or denial of service.
- CVE-2024-11236: An integer overflow in the Firebird and dblib quoters, potentially causing out-of-bounds writes.
- CVE-2024-11234: A CRLF injection vulnerability in stream contexts when configuring a proxy, potentially leading to HTTP request smuggling attacks. “Configuring a proxy in a stream context might allow for CRLF injection in URIs, resulting in HTTP request smuggling attacks,” the advisory states.
The PHP project strongly urges all users to update their PHP installations to the latest versions immediately. These updates include fixes that prevent attackers from exploiting these vulnerabilities and compromising systems.
For detailed information on each vulnerability and mitigation strategies, please refer to the official PHP security advisory.