PHP releases security updates to address multiple vulnerabilities

PHP releases security updates

PHP has released new versions, 7.1.32, 7.2.22, and 7.3.9, of multiple Hypertext Preprocessor (PHP) that address multiple bugs and vulnerabilities.

The Multi-State Information Sharing & Analysis Center (MS-ISAC) has released a security advisory for the multiple PHP vulnerabilities with more technical details.

MS-ISAC has rated the advisory High Risk to small, medium and larger companies or government organizations. In addition, the most severe vulnerabilities could allow an attacker to execute arbitrary code in the context of the affected application.

“Depending on the privileges associated with the application, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploitation could result in a denial-of-service condition,” MS-ISAC warned in the advisory.

System administrators should upgrade to the following PHP versions:

  • PHP 7.1 versions: upgrade to 7.1.32
  • PHP 7.2 versions: upgrade to 7.2.22
  • PHP 7.3 versions: upgrade to 7.3.9.

The latest PHP upgrade version 7.1.32 includes a fix for CVE-2019-13224 in mbstring. A dozen bugs were also addressed in version 7.2.22, but no CVE’s were directly listed in the version notes.

Finally, version 7.3.9 includes 15 bug fixes, to include an Oniguruma 6.9.3 update for CVE-2019-13224 and CVE-2019-13225.