Source: Ministry of education information & communication security contingency platform
Publication Number | TACERT-ANA-2024061108062323 | Publication Time | 2024/06/11 08:24 |
Incident Type | ANA-Vulnerability Alert | Discovery Time | 2024/06/07 21:58 |
Impact Level | Medium | ||
[Subject] 【Security Alert】 High-Risk Vulnerability in PHP (CVE-2024-4577) - Immediate Action Required |
|||
[Content] Forwarded from the National Institute of Cyber Security NISAC-200-202406-00000050 Researchers have discovered an argument injection vulnerability (CVE-2024-4577) in PHP. Remote attackers without authentication can use specific character sequences to bypass protections added after CVE-2012-1823 and execute arbitrary code on remote PHP servers through argument injection. Immediate verification and patching are required. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
[Affected Platform] ●PHP 8.3 branch: Versions below 8.3.8 ●PHP 8.2 branch: Versions below 8.2.20 ●PHP 8.1 branch: Versions below 8.1.29 ●PHP 8.0 branch: All versions ●PHP 7: All versions ●PHP 5: All versions |
|||
[Recommended Actions] The official patch has been released to address this vulnerability. Please update to the following versions: ●PHP 8.3 branch: Update to version 8.3.8 or later ●PHP 8.2 branch: Update to version 8.2.20 or later ●PHP 8.1 branch: Update to version 8.1.29 or later For PHP 8.0, 7, and 5, which are no longer maintained, it is recommended to switch to a maintained version. If updating PHP is not possible, you can refer to the following mitigation measures: https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability/#1-%E5%B0%8D%E7%84%A1%E6%B3%95%E6%9B%B4%E6%96%B0-php-%E7%9A%84%E4%BD%BF%E7%94%A8%E8%80%85 For XAMPP for Windows users, refer to: https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability/#2-%E5%B0%8D-xampp-for-windows-%E4%BD%BF%E7%94%A8%E8%80%85 |
|||
[Reference] https://devco.re/blog/2024/06/06/security-alert-cve-2024-4577-php-cgi-argument-injection-vulnerability/ |