弊社のウェブページの改善のためにクッキーを使用しています。弊社のクッキーポリシーをお読みください。

AS-2022-010: PHP

2022-08-03

Severity

Important

Status

Resolved


Statement

The PHP Group announced multiple vulnerabilities that have been fixed in the latest release of PHP 7.4, 8.0 and 8.1.

CVE-2022-31625 and CVE-2022-31626 will affect ASUSTOR products with PHP 7.4 or PHP 8.1 installed on ADM 4.1.

  • Updates with PHP 7.4.30 and PHP 8.1.7 has been released on App Central for ADM 4.1.

Affected Products

Product Severity Fixed Release Availability
ADM 4.1 Important Upgrade PHP 7.4 to 7.4.30.r9 or above.
Upgrade PHP 8.1 to 8.1.7.r6 or above.

Detail

  • CVE-2022-31625
    • Severity: Critical
    • In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
  • CVE-2022-31626
    • Severity: High
    • In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.

Reference


Revision

Revision Date Description
1 2022-07-21 Initial public release.
2 2022-08-03 Update PHP 7.4 to 7.4.30.r9 and PHP 8.1 to 8.1.7.r6 for fixing the issues on ADM 4.1.