ADVISORY: Update PHP for multiple vulnerabilities

Thursday, January 21, 2016

This information is intended for U-M IT staff who are responsible for maintaining and running university servers with PHP installed. It was sent via email to U-M IT staff groups January 21, 2016.

Summary: 

Multiple new vulnerabilities have been discovered in PHP, and PHP has released updates to address them. There is known proof-of-concept code for these vulnerabilities. The updates should be applied as soon as possible after appropriate testing. If attackers exploit these vulnerabilities, they could potentially execute arbitrary code in the context of a web server. (PHP is a programming language originally designed for use in web-based applications with HTML content. It is now also used as general-purpose programming language.)

Affected Versions: 
  • PHP 5.6 prior to 5.6.17
  • PHP 5.5 prior to 5.5.31
  • PHP 7.0 prior to 7.0.2
Action Items: 
Threats: 

While there are currently no reports of these vulnerabilities being exploited in the wild, there is known proof-of-concept code for these vulnerabilities. The availability of proof-of-concept code may allow attackers to begin exploiting these vulnerabilities more quickly.

Technical Details: 

The PHP vulnerabilities addressed by these most recent updates include:

  • A vulnerability in the zval_ptr_dtor() function of the wddx/wddx.c source file. Exploit of this vulnerability can be performed by sending specially crafted recordset.
  • A vulnerability exists in the php_wddx_deserialize_ex() function when performing deserialization on string-type ZVAL.

Successful exploitation of these vulnerabilities may allow remote attackers to execute arbitrary code in the context of a  web server. The updates also address a number of other bugs in the PHP Core.

Information for Users: 

Users are not directly affected by these vulnerabilities and therefore do not need to take any action.

Questions, Concerns, Reports: 

Please contact iia.inform@umich.edu.