Security Update:Multiple High Risk Vulnerabilities in PHP
Date and Time
Multi-State Information Sharing and Analysis Center (MS-ISAC) reports multiple “High Risk” vulnerabilities in PHP.
Advanced Users: For the full Public Announcement refer to MS-ISAC ADVISORY NUMBER: 2016-173 at https://msisac.cisecurity.org/advisories/2016/2016-173.cfm.
- PHP 7 prior to 7.0.13
- PHP 5 prior to 5.6.28
WHAT'S THE PROBLEM?
PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications.
Successfully exploiting the most severe of these vulnerabilities could allow for remote attackers to execute arbitrary code in the context of the affected application. Failed exploitation could result in a denial-of-service condition.
WHAT DO YOU NEED TO DO?
Upgrade to the latest version of PHP immediately, after appropriate testing:
- PHP 7 ChangeLog at http://php.net/ChangeLog-7.php
- PHP 5 ChangeLog at http://www.php.net/ChangeLog-5.php
- Apply the principle of Least Privilege to all systems and services.
- Verify no unauthorized system modifications have occurred on system before applying patch.
- Limit user account privileges to only those required.
- IT Security - http://it.ucsf.edu/security