CVE-2019-13224, Other Critical Flaws in PHP - Patch Now
CYBER NEWS

CVE-2019-13224, Other Critical Flaws in PHP – Patch Now

1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading...

The latest versions of PHP were recently released (PHP version 7.3.9, 7.2.22 and 7.1.32 across several branches) to address several highly critical vulnerabilities in its core and bundled libraries. The most dangerous of these vulnerabilities are the ones that could lead to remote code execution.

Nearly 80% of all websites run on PHP. More particularly, “PHP is used by 78.9% of all the websites whose server-side programming language we know”, according to W3Techs statistics. This means that the vulnerabilities could affect a large number of web applications that utilize PHP, including websites that run on content management systems such as WordPress and Drupal, researchers warn.




More specifically, depending on the affected codebase in a PHP app, the worst-case scenario attacks based on these flaws could allow threat actors to execute arbitrary code in the context of the application. In case of a failed attempt of exploitation, a denial-of-service (DoS) condition could be triggered on affected systems.

Related: CVE-2019-6977: Yet Another WordPress Critical Flaw Found, Left Unpatched For 6 Years

More about CVE-2019-13224

The worst of the flaws is known under the CVE-2019-13224 advisory. According to the official CVE-2019-13224 description, the vulnerability is “a use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2” that could allow attackers to potentially cause information disclosure, denial of service, or possibly code execution by providing a crafted regular expression.

The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional libraries for PHP and Rust, the advisory reads.

The already available patches address vulnerabilities in cURL, Exif function, FastCGI Process Manager, OPcache. There is currently no information of active attacks against these flaws. However, immediate patching is required, so consider updating to the latest PHP version version 7.3.9, 7.2.22, or 7.1.32 as soon as possible. It should be noted that PHP version 7.1.32 fixes the CVE-2019-13224 flaw.

Avatar

Milena Dimitrova

An inspired writer and content manager who has been with SensorsTechForum for 4 years. Enjoys ‘Mr. Robot’ and fears ‘1984’. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles!

More Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...