SUBJECT: Critical Security Update Required for PHP 5.4.x Before 5.4.43

TECH STACK: PHP 5.4.x Web Servers

ISSUE IDENTIFICATION: PHP Version < 5.4.43

NOTIFICATION DATE: 07/10/2015

LAST UPDATE: 04/11/2022

CRITICALITY LEVEL: CRITICAL

OVERVIEW: A comprehensive security review has unveiled multiple critical vulnerabilities in PHP versions prior to 5.4.43, affecting your web server’s security and data integrity. Immediate action is necessary to mitigate potential risks.

VULNERABILITY DETAILS:

• Security Feature Bypass (‘BACKRONYM’): A notable vulnerability due to improper SSL/TLS enforcement with the --ssl client option, leading to possible man-in-the-middle (MitM) attacks, data disclosure, or database query manipulation. (CVE-2015-3152)
• Denial of Service (DoS) and Buffer Overflow Risks: Issues within the phar_convert_to_other and phar_fix_filepath functions, and others, can trigger server crashes or unauthorized data access. (CVEs: 2015-5589, 2015-5590)
• Connector/C Component Flaw: Similar to BACKRONYM, this flaw could downgrade secure connections to unencrypted ones. (CVE-2015-8838)
• Various Other Flaws: Including parse_ini_file() and object_custom() function vulnerabilities, leading to DoS or arbitrary code execution.

IMPACT ASSESSMENT: The range of vulnerabilities includes data breaches, unauthorized access, and server unavailability, posing a critical risk to your web infrastructure and sensitive information.

SOLUTION: Immediate Upgrade Required: Shift to PHP version 5.4.43 or newer to address these vulnerabilities comprehensively. This upgrade closes the security gaps mentioned above and fortifies your server against these specific attack vectors.

ADDITIONAL INFORMATION:

• PHP Change Log: PHP Official ChangeLog
• BACKRONYM Details: BACKRONYM Website

RISK EVALUATION:

• VPR Risk Factor: Medium with a score of 5.9.
• CVSS Scores: v2 Critical (Base Score: 10), v3 Critical (Base Score: 9.8).

RECOMMENDATIONS:

1. Upgrade PHP Immediately: Prioritize updating your PHP installation to the latest version to ensure protection against these vulnerabilities.
2. Review Configuration: Post-upgrade, verify the server configuration to ensure new security measures are effectively in place.
3. Continuous Monitoring: Adopt a proactive stance on monitoring for new vulnerabilities and applying security patches promptly.

ACTION ITEMS:

• Schedule and perform the PHP upgrade during a low-traffic period to minimize impact.
• Conduct thorough testing post-upgrade to ensure web applications’ functionality remains intact.
• Inform relevant teams about the upgrade to prepare for any potential troubleshooting.

CONCLUSION: Addressing these vulnerabilities is crucial to safeguarding your web server from potential exploitation. By upgrading PHP to a secured version, you mitigate the risks and ensure the continuity and integrity of your web services.