it.ucsf.edu

Security Update:Multiple High Risk Vulnerabilities in PHP

Status Type

Security Update

Date and Time

Tuesday, November 15, 2016 - 15:29

Reason

Security Update

Impact

PHP Users

 

WHAT HAPPENED?
Multi-State Information Sharing and Analysis Center (MS-ISAC) reports multiple “High Risk” vulnerabilities in PHP.

Advanced Users: For the full Public Announcement refer to MS-ISAC ADVISORY NUMBER: 2016-173 at https://msisac.cisecurity.org/advisories/2016/2016-173.cfm.


AFFECTED SYSTEMS:

  • PHP 7 prior to 7.0.13
  • PHP 5 prior to 5.6.28


WHAT'S THE PROBLEM?
PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.

Successfully exploiting the most severe of these vulnerabilities could allow for remote attackers to execute arbitrary code in the context of the affected application. Failed exploitation could result in a denial-of-service condition.


WHAT DO YOU NEED TO DO?
Upgrade to the latest version of PHP immediately, after appropriate testing:

In addition:

  • Apply the principle of Least Privilege to all systems and services.
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Limit user account privileges to only those required.


RELATED LINKS