当前位置:网站首页>Cloud security daily 220705: the red hat PHP interpreter has found a vulnerability of executing arbitrary code, which needs to be upgraded as soon as possible
Cloud security daily 220705: the red hat PHP interpreter has found a vulnerability of executing arbitrary code, which needs to be upgraded as soon as possible
2022-07-05 17:17:00 【TechWeb】
7 month 4 Japan , Red hat has released a security update , Fixed red hat PHP Arbitrary code execution vulnerability found in the embedded scripting language interpreter . Here are the details of the vulnerability :
Vulnerability Details
source :https://access.redhat.com/errata/RHSA-2022:5491
1.CVE-2022-31625 CVSS score :8.1 severity : important
because pg_query_params() Uninitialized array in function , stay PHP A hole was found in . Use Postgres Database expansion , Providing invalid parameters for parameterized queries may result in PHP Try using uninitialized data as a pointer to free memory . This vulnerability allows remote attackers to control query parameters to execute arbitrary code on the system or may cause a denial of service .
2.CVE-2022-31626 CVSS score :7.5 severity : high
stay mysqlnd_wireprotocol.c In dealing with mysqlnd/pdo When the password in , stay PHP A buffer overflow vulnerability was found in . When using with mysqlnd Driver's pdo_mysql When expanding , If a third party is allowed to provide a password for the connecting host , An overly long password will trigger PHP Buffer overflow in . This vulnerability allows a remote attacker to pass through PDO Put the password ( Too long ) Pass to MySQL The server , This triggers arbitrary code execution on the target system .
3.CVE-2021-21703 CVSS score :6.4 severity : secondary
php-fpm There is a loophole , It may lead to local permission elevation . This vulnerability is difficult to exploit , Because the attack needs to escape FPM Sandbox mechanism . When a complete attack is achieved , May lead to confidentiality 、 Risks in data integrity and system availability .
4.CVE-2021-21707 CVSS score :5.3 severity : secondary
stay php.ini A flaw was found in . The main reason for this vulnerability is parsing extensible markup language (XML) The input validation of entity is incorrect . Special characters may allow attackers to traverse directories . The biggest threat of this vulnerability is confidentiality .
Affected products and versions
Red Hat Software Collections (for RHEL Server) 1 for RHEL 7 x86_64
Red Hat Software Collections (for RHEL Server for System Z) 1 for RHEL 7 s390x
Red Hat Software Collections (for RHEL Server for IBM Power LE) 1 for RHEL 7 ppc64le
Red Hat Software Collections (for RHEL Workstation) 1 for RHEL 7 x86_64
Solution
RedHat The official has Red Hat Software Collections Provide rh-php73-php Security update for . After installing the updated package , Must be restarted httpd The daemon can make the update take effect .
For more information on how to apply this update , see also :
https://access.redhat.com/articles/11258
View more vulnerability information And upgrade, please visit the official website :
https://access.redhat.com/security/security-updates/#/security-advisories
边栏推荐
- Embedded UC (UNIX System Advanced Programming) -2
- 精准防疫有“利器”| 芯讯通助力数字哨兵护航复市
- winedt常用快捷键 修改快捷键latex编译按钮
- 基于51单片机的电子时钟设计
- The second day of learning C language for Asian people
- 一文了解Go语言中的函数与方法的用法
- High number | summary of calculation methods of volume of rotating body, double integral calculation of volume of rotating body
- Browser rendering principle and rearrangement and redrawing
- 【性能测试】全链路压测
- CMake教程Step4(安装和测试)
猜你喜欢
机器学习01:绪论
Embedded UC (UNIX System Advanced Programming) -1
阈值同态加密在隐私计算中的应用:解读
Machine learning compilation lesson 2: tensor program abstraction
First day of learning C language
项目引入jar从私服Nexus 拉去遇到的一个问题
WR | Jufeng group of West Lake University revealed the impact of microplastics pollution on the flora and denitrification function of constructed wetlands
机器学习编译第2讲:张量程序抽象
一个满分的项目文档是如何书写的|得物技术
Embedded-c Language-1
随机推荐
C#(Winform) 当前线程不在单线程单元中,因此无法实例化 ActiveX 控件
The first lesson of EasyX learning
dried food! Semi supervised pre training dialogue model space
Embedded-c Language-3
The first EMQ in China joined Amazon cloud technology's "startup acceleration - global partner network program"
Use JDBC technology and MySQL database management system to realize the function of course management, including adding, modifying, querying and deleting course information.
【二叉树】根到叶路径上的不足节点
ternary operator
The survey shows that the failure rate of traditional data security tools in the face of blackmail software attacks is as high as 60%
[Jianzhi offer] 63 Maximum profit of stock
Wsl2.0 installation
Is it safe for qiniu business school to open a stock account? Is it reliable?
精准防疫有“利器”| 芯讯通助力数字哨兵护航复市
It is forbidden to copy content JS code on the website page
Embedded UC (UNIX System Advanced Programming) -2
CMake教程Step2(添加库)
mysql如何使用JSON_EXTRACT()取json值
Embedded-c Language-4
Judge whether a number is a prime number (prime number)
[Jianzhi offer] 62 The last remaining number in the circle