Security Alert

Original date: 16.10.2018
Overall risk classification: HIGH

Overview

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code [1].

Systems Affected

PHP 7.1 prior to 7.1.23
PHP 7.2 prior to 7.2.11

Threat

Risk: HIGH
If your project uses PHP in a vulnerable version, the application is potentially vulnerable to remote code execution.
Remote code execution vulnerabilities allow attackers to take control of a vulnerable system. This can provide a hacker with an entry point into your corporate networks, and can put both infrastructure and data at risk.
Exploitability:
Details about the bugs which cause the vulnerabilities can be found via the change log for PHP 7.1 [2] and PHP 7.2 [3].
Priority (for affected, internet-exposed systems): HIGH
Priority (for internal systems): MEDIUM

Mitigation

Patched versions have been released on Oct 11, 2018.
Users of PHP 7.1 and 7.2 are strongly advised to upgrade to 7.1.23 and 7.2.11, respectively [1].

Author

Martin Schöne

References

[1] https://www.cisecurity.org/advisory/multiple-vulnerabilities-in-php-could-allow-for-arbitrary-code-execution_2018-113/
[2] http://php.net/ChangeLog-7.php#7.1.23
[3] http://php.net/ChangeLog-7.php#7.2.11