ALERT: Update PHP for multiple vulnerabilities

Friday, April 29, 2016

This information is intended for U-M IT staff who are responsible for maintaining and running university servers with PHP installed. It was sent via email to several U-M IT staff groups on April 29, 2016.

Summary: 

Update PHP immediately after appropriate testing to address multiple newly discovered vulnerabilities. PHP is a programming language originally designed for use in web-based applications with HTML content. It supports a wide variety of platforms and is used by numerous web-based software applications.

Problem: 

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow an attacker to execute arbitrary code. Failed exploit attempts could potentially lead to denial of service conditions. Successfully exploiting the vulnerabilities could allow remote attackers to execute arbitrary code in the context of the affected application.

Affected Versions: 
  • PHP 7 prior to 7.0.6
  • PHP 5.5 prior to 5.5.35
  • PHP 5.6 prior to 5.6.21
Action Items: 
  • Verify that no unauthorized system modifications have occurred on your system before updating.
  • Upgrade to the latest version of PHP immediately after appropriate testing. See PHP Downloads.
  • Apply the principle of least privilege to all systems and services.
  • Limit user account privileges to only those required.
Threats: 

Publicly available exploit code is available for vulnerable versions of PHP 7 prior to 7.0.6. Active attacks that can compromise servers running vulnerable versions of PHP 7 may occur quickly. A remote code execution vulnerability also exists in PHP 5, but IIA is not currently aware of publicly available exploit code for that vulnerability.

Technical Details: 

One remote code execution vulnerability only affects vulnerable versions of PHP 7. This vulnerability is an integer overflow in ZipArchive::getFrom*. The other remote code execution vulnerability affects both PHP 5 and PHP 7 and is a signedness vulnerability in libgd. Most references indicate that the vulnerability in libgd is specific to version 2.1.1, but there are some indications that earlier versions could also be vulnerable.

Information for Users: 

Users are not directly affected by these vulnerabilities and therefore do not need to take any action.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.