Update PHP for multiple vulnerabilities

This information is intended for U-M IT staff who are responsible for maintaining and running university servers with PHP installed. It was sent via email to several U-M IT staff groups on April 29, 2016.

Summary

Update PHP immediately after appropriate testing to address multiple newly discovered vulnerabilities. PHP is a programming language originally designed for use in web-based applications with HTML content. It supports a wide variety of platforms and is used by numerous web-based software applications.

Problem

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code. Failed exploit attempts could potentially lead to denial of service conditions. Successfully exploiting the vulnerabilities could allow remote attackers to execute arbitrary code in the context of the affected application.

Threats

Publicly available exploit code is available for vulnerable versions of PHP 7 prior to 7.0.6. Active attacks that can compromise servers running vulnerable versions of PHP 7 may occur quickly. A remote code execution vulnerability also exists in PHP 5, but IIA is not currently aware of publicly available exploit code for that vulnerability.

Affected Versions

  • PHP 7 prior to 7.0.6
  • PHP 5.5 prior to 5.5.35
  • PHP 5.6 prior to 5.6.21

Action Items

  • Verify that no unauthorized system modifications have occurred on your system before updating.
  • Upgrade to the latest version of PHP immediately after appropriate testing. See PHP Downloads.
  • Apply the principle of least privilege to all systems and services.
  • Limit user account privileges to only those required.

Technical Details

One remote code execution vulnerability only affects vulnerable versions of PHP 7. This vulnerability is an integer overflow in ZipArchive::getFrom*. The other remote code execution vulnerability affects both PHP 5 and PHP 7 and is a signedness vulnerability in libgd. Most references indicate that the vulnerability in libgd is specific to version 2.1.1, but there are some indications that earlier versions could also be vulnerable.

Information for Users

Users are not directly affected by these vulnerabilities and therefore do not need to take any action.

Questions, Concerns, Reports

Please contact [email protected].