MS-ISAC: 2018-046 – Multiple Vulnerabilities in PHP

Severity

Critical

Vendor

Cloud Foundry Foundation

Affected Cloud Foundry Products and Versions

• You are using php-buildpack prior to version 4.3.53

Description

Multiple upstream vulnerabilities have been discovered in all supported PHP versions in the PHP buildpack. MS-ISAC reports that the most severe of these vulnerabilities could allow an attacker to execute arbitrary code. An attacker could take advantage of this type of vulnerability to steal credentials, modify application code, cause a denial of service attack, or take other malicious actions.

Mitigation

Users of affected versions should apply the following mitigations or upgrades:

• Releases that have fixed this issue include:
  • php-buildpack version 4.3.53
• Application changes:
  • Confirm that PHP apps are configured to use PHP versions 7.2.5, 7.1.17, 7.0.30 or 5.6.36
  • Re-stage all PHP apps

References

• Center for Internet Security Advisory
• PHP 7.2.5
• PHP 7.1.17
• PHP 7.0.30
• PHP 5.6.36

History

2018-04-27: Initial vulnerability report published.