ELA-1277-1 Security Update for PHP7.3 – Critical Vulnerabilities and Fixes

A critical security update, ELA-1277-1, has been released for PHP 7.3, specifically for version 7.3.31-1~deb10u9 (Buster). This update addresses several vulnerabilities in PHP that could potentially be exploited by attackers to compromise system integrity, availability, and confidentiality. If your system is running PHP 7.3, it’s vital to apply this update as soon as possible to mitigate these risks. Below, we will explore the vulnerabilities fixed in this release, their potential impacts, and why immediate updating is crucial.

Related CVEs:

  • CVE-2024-8929
  • CVE-2024-8932
  • CVE-2024-11233
  • CVE-2024-11234
  • CVE-2024-11236

Vulnerability Breakdown:

  1. CVE-2024-8929: Heap Buffer Over-read in mysqlnd A heap buffer over-read vulnerability was discovered by Sébastien Rolland in the mysqlnd (MySQL Native Driver) component of PHP. This vulnerability can be exploited by connecting to a fake MySQL server or tampering with network packets during a SQL query. By abusing the php_mysqlnd_rset_field_read() function when parsing MySQL field packets, attackers could access sensitive heap content that starts from the address of the cursor in the current buffer, effectively leaking sensitive information stored in memory. Impact:
    • Leak of sensitive data from the heap.
    • Exposing passwords, session data, or other private information to an attacker.
  2. CVE-2024-8932: Integer Overflow in ldap_escape() on 32-bit Systems Yiheng Cao discovered that ldap_escape() on 32-bit systems is vulnerable to an integer overflow caused by uncontrolled long string inputs. This overflow results in an out-of-bounds write, which can corrupt memory or cause the system to crash. Impact:
    • Denial of service (DoS) due to system crashes.
    • Potential for arbitrary code execution or memory corruption.
  3. CVE-2024-11233: Memory Corruption in filter Handling System A vulnerability was discovered in the filter handling system of PHP, specifically when processing input with the convert.quoted-printable-decode filter. Specially crafted input data could trigger a segmentation fault, causing PHP to crash. Additionally, this vulnerability could allow an attacker to extract a byte of data from the heap, posing a risk of data leakage. Impact:
    • Denial of service (PHP crash).
    • Potential for leakage of a byte of sensitive data from the heap.
  4. CVE-2024-11234: Proxy Configuration Leading to CRLF Injection This vulnerability, discovered by Lorenzo Leonardini, occurs when a proxy is configured in a stream context. An attacker could inject CRLF (carriage return and line feed) characters into the URI, enabling a Server-Side Request Forgery (SSRF) attack. This could bypass authorization mechanisms and allow attackers to make unauthorized internal requests. Impact:
    • Authorization bypass via SSRF.
    • Potential for unauthorized internal requests and system access.
  5. CVE-2024-11236: Integer Overflow in Firebird and DBLIB Quoters An integer overflow was found in the Firebird and DBLIB quoters, which could result in out-of-bounds writes. This vulnerability could be triggered when handling specific input data, causing memory corruption and possible exploitation by attackers. Impact:
    • Memory corruption leading to system instability.
    • Potential remote code execution via out-of-bounds writes.
  6. GHSA-4w77-75f9-2c8w: Heap-Use-After-Free in sapi_read_post_data() A critical heap-use-after-free vulnerability was discovered in the sapi_read_post_data() function, which processes POST request data. Exploiting this vulnerability could result in memory safety issues, allowing attackers to execute arbitrary code or trigger crashes by manipulating memory allocation. Impact:
    • Remote code execution or memory corruption.
    • Potential data leakage or denial of service.

Update PHP is needed:

The vulnerabilities addressed in this security update are serious and could have severe consequences if left unpatched. Attackers can exploit these flaws to leak sensitive data, crash your PHP-based applications, or even gain unauthorized access to internal systems. For systems running PHP 7.3, it is crucial to apply this update as soon as possible to prevent these risks.

Steps to Update:

  1. Check the Installed Version: First, verify the PHP version installed on your system to determine if you are running the vulnerable version: php -v
  2. Apply the Update: To update PHP to the latest secure version on Debian Buster (10), run the following commands: sudo apt update sudo apt install --only-upgrade php7.3
  3. Restart PHP Services: After applying the update, restart your PHP-FPM or web server to activate the changes: sudo systemctl restart apache2 sudo systemctl restart php7.3-fpm
  4. Test Your Applications: Once the update is applied, test your PHP-based applications to ensure they are functioning correctly. Pay particular attention to any areas that handle user inputs or interact with databases or external services.

The ELA-1277-1 update for PHP 7.3 addresses critical vulnerabilities that could compromise the security and stability of your systems. By applying this update, you protect your applications from potential exploitation and ensure that your infrastructure remains secure. Don’t delay—apply this security patch as soon as possible to safeguard your PHP-powered applications from these serious risks.