SUBJECT: Mitigating CVE-2022-31630: PHP imageloadfont() Vulnerability

TECH STACK: PHP
DATE(S) ISSUED: 11/14/2022

NVD Last Modified: 11/06/2023
CRITICALITY: 7.1 HIGH
OVERVIEW:
This document provides guidance on addressing CVE-2022-31630, which affects PHP versions prior to 7.4.33, 8.0.25, and 8.2.12. The vulnerability is present in the imageloadfont() function of the GD extension, allowing for the execution of a read outside the allocated buffer, potentially leading to crashes or information disclosure.

SOLUTION/MITIGATION:

1. Upgrade PHP: To mitigate this vulnerability, upgrade to PHP versions 7.4.33, 8.0.25, or 8.2.12 or later.
2. Code Review: For applications using imageloadfont(), review and sanitize inputs to this function to prevent the processing of maliciously crafted font files.
3. Monitoring and Logging: Enhance monitoring of applications that use the GD extension for unusual activities indicating exploitation attempts.

Confirmation & Additional Information:
Ensure upgrades are properly applied and test applications for functionality and security. Keep PHP installations updated and refer to PHP’s official resources for future patches and advisories.

For more detailed information, you may visit:

https://nvd.nist.gov/vuln/detail/CVE-2022-31630

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31630

https://bugs.php.net/bug.php?id=81739