AS-2022-010: PHP
2022-08-03
Statement
The PHP Group announced multiple vulnerabilities that have been fixed in the latest release of PHP 7.4, 8.0 and 8.1.
CVE-2022-31625 and CVE-2022-31626 will affect ASUSTOR products with PHP 7.4 or PHP 8.1 installed on ADM 4.1.
- Updates with PHP 7.4.30 and PHP 8.1.7 has been released on App Central for ADM 4.1.
Affected Products
| Product |
Severity |
Fixed Release Availability |
| ADM 4.1 |
Important |
Upgrade PHP 7.4 to 7.4.30.r9 or above.
Upgrade PHP 8.1 to 8.1.7.r6 or above. |
Detail
- CVE-2022-31625
- Severity: Critical
- In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
- CVE-2022-31626
- Severity: High
- In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
Reference
Revision
| Revision |
Date |
Description |
| 1 |
2022-07-21 |
Initial public release. |
| 2 |
2022-08-03 |
Update PHP 7.4 to 7.4.30.r9 and PHP 8.1 to 8.1.7.r6 for fixing the issues on ADM 4.1. |
