This report details critical vulnerabilities identified in PHP versions prior to 5.4.38, impacting the security and stability of web applications. These issues include heap-based buffer overflows and a use-after-free vulnerability, posing risks of denial of service (DoS) attacks or arbitrary code execution. Immediate action is required to mitigate these vulnerabilities.
CVE-2014-9705: A vulnerability in the enchant_broker_request_dict function within ext/enchant/enchant.c leads to a heap-based buffer overflow. Attackers could exploit this flaw to execute arbitrary code or trigger a DoS condition.
CVE-2015-0235 (GHOST): This critical flaw stems from a heap-based buffer overflow in the GNU C Library (glibc), affecting functions __nss_hostname_digits_dots(), gethostbyname(), and gethostbyname2(). It allows remote attackers to execute arbitrary code or cause a DoS condition through improperly validated input.
CVE-2015-0273: A use-after-free issue in php_date_timezone_initialize_from_hash() within ext/date/php_date.c can be exploited to access sensitive information or cause application crashes.
Given the critical nature of these vulnerabilities and their potential to compromise web applications severely, we urge IT and security teams to prioritize these patches. Ensuring web servers are running updated versions of PHP is essential for maintaining the security and reliability of your digital infrastructure.