SB2024092724 - Multiple vulnerabilities in PHP

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) OS Command Injection (CVE-ID: CVE-2024-8926)

The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.

The vulnerability exists due to improper input validation in PHP-CGI implementation. A remote attacker can send specially crafted HTTP request to the application and execute arbitrary OS commands on the system.

Note, the vulnerability exists due to incomplete fix for #VU91106 (CVE-2024-4577).

2) Security features bypass (CVE-ID: CVE-2024-8927)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to environment variable collision, which can lead to cgi.force_redirect bypass. A remote attacker can bypass implemented security restriction and gain unauthorized access to the application.

3) Insufficient Logging (CVE-ID: CVE-2024-9026)

The vulnerability allows an attacker to alter log files.

The vulnerability exists due to an unspecified error, which can lead to logs from child processes to be altered.

4) Input validation error (CVE-ID: CVE-2024-8925)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input when parsing multipart form data. A remote attacker can pass specially crafted input to the application and bypass implemented security restrictions.

Remediation

Install update from vendor's website.

References

• https://www.php.net/ChangeLog-8.php#8.1.30
• https://www.php.net/ChangeLog-8.php#8.2.24
• https://www.php.net/ChangeLog-8.php#8.3.12