Multiple Risk PHP Vulnerabilities MS_ISAC 2019-087

TO: CSF
FR: Libby Whitt, Network Firewall Engineer, UCSB Information Security
RE: Multiple Risk PHP Vulnerabilities MS_ISAC 2019-087

MS-ISAC, a division of the Center for Internet Security, issued an advisory regarding multiple vulnerabilities discovered in PHP-programming language designed for web development. 

The vulnerabilities allow for arbitrary code execution and full system takeover. 

To secure your systems, the following versions of PHP should be updated immediately:

  • PHP 7.1 versions prior to 7.1.32
  • PHP 7.2 versions prior to 7.2.22
  • PHP 7.3 versions prior to 7.3.9

Further MS-ISAC recommendations are listed at the Center for Internet Security website and include:

  • Upgrading to the latest version of PHP immediately after appropriate testing.
  • Verifying no unauthorized system modifications have occurred on system before applying patch.
  • Applying the principle of Least Privilege to all systems and services.
  • Reminding users not to visit websites or follow links from unknown or untrusted sources.

Currently, no active exploits have been reported. If you hear of one, please let us know at security@ucsb.edu.