ADVISORY: Update PHP for multiple vulnerabilities

Multiple new vulnerabilities have been discovered in PHP, and PHP has released updates to address them. There is known proof-of-concept code for these vulnerabilities. The updates should be applied as soon as possible after appropriate testing. If attackers exploit these vulnerabilities, they could potentially execute arbitrary code in the context of a web server. (PHP is a programming language originally designed for use in web-based applications with HTML content. It is now also used as general-purpose programming language.)

While there are currently no reports of these vulnerabilities being exploited in the wild, there is known proof-of-concept code for these vulnerabilities. The availability of proof-of-concept code may allow attackers to begin exploiting these vulnerabilities more quickly.

• Upgrade to the latest version of PHP after appropriate testing. See PHP Downloads.
• Apply the principle of least privilege to all systems and services.
• Limit user account privileges to only those required.

The PHP vulnerabilities addressed by these most recent updates include:

• A vulnerability in the zval_ptr_dtor() function of the wddx/wddx.c source file. Exploit of this vulnerability can be performed by sending specially crafted recordset.
• A vulnerability exists in the php_wddx_deserialize_ex() function when performing deserialization on string-type ZVAL.

Successful exploitation of these vulnerabilities may allow remote attackers to execute arbitrary code in the context of a  web server. The updates also address a number of other bugs in the PHP Core.

Users are not directly affected by these vulnerabilities and therefore do not need to take any action.

Please contact [email protected].

• PHP 5 ChangeLog
• PHP 7 ChangeLog
• CVE-2016-1904