Security vulnerability for PHP version 7.1.x, 7.2.x, 7.3.x in Azure Web app

Question

Security vulnerability for PHP version 7.1.x, 7.2.x, 7.3.x in Azure Web app

Henrique Santos 0

In 2018, the security team detected a vulnerability related to the PHP.
I would like to know if this vulnerability still exists, or if it has already been fixed.

Below is the security report:
An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an infinite loop when using program execution functions (e.g. passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing that master process to consume 100% of the CPU and consume disk space with a large volume of error logs, as demonstrated by a customer attack on a shared hosting resource.

Source: https://www.cve.org/CVERecord?id=CVE-2015-9253 Thanks!

brtrach-MSFT 17,656 Reputation points Microsoft Employee

2024-01-20T02:42:25.42+00:00

We edited your post to ensure readers are not confused that the vulnerability is not with Azure App Service itself. The vulnerability is related to PHP and you're wondering if Azure App Service's PHP versions are patched against CVE-2015-9253.

Also, this vulnerability was discovered in 2018 so we added clarity around the timing on this. Please review the post to ensure it still is accurate and reflects the question you are needing answered. Thank you for your understanding. Someone should reply to you early next week with an update to your question.
Henrique Santos 0 Reputation points

2024-01-22T13:20:07.7366667+00:00

@brtrach-MSFT Thanks for the answer! Regarding my post, this vulnerability analysis report happened in November 2023 and raised this question about PHP. In this case, will I be protected if I create an app using the latest PHP runtime version available on an Azure Web App? A curiosity that I noticed, when I create an Azure web app for Windows with .Net Core 8(LTS) runtime and run the "php -v" command in CMD, it displays version 5.2.40, this may cause a problem of vulnerability?

Thanks!

1 answer

Your answer

brtrach-MSFT 17,656 Reputation points Microsoft Employee

2024-01-20T02:42:25.42+00:00

We edited your post to ensure readers are not confused that the vulnerability is not with Azure App Service itself. The vulnerability is related to PHP and you're wondering if Azure App Service's PHP versions are patched against CVE-2015-9253.

Also, this vulnerability was discovered in 2018 so we added clarity around the timing on this. Please review the post to ensure it still is accurate and reflects the question you are needing answered. Thank you for your understanding. Someone should reply to you early next week with an update to your question.
Henrique Santos 0 Reputation points

2024-01-22T13:20:07.7366667+00:00

@brtrach-MSFT Thanks for the answer! Regarding my post, this vulnerability analysis report happened in November 2023 and raised this question about PHP. In this case, will I be protected if I create an app using the latest PHP runtime version available on an Azure Web App? A curiosity that I noticed, when I create an Azure web app for Windows with .Net Core 8(LTS) runtime and run the "php -v" command in CMD, it displays version 5.2.40, this may cause a problem of vulnerability?

Thanks!

Answer 1

brtrach-MSFT 17,656 Microsoft Employee

@Henrique Santos We provide patches for any vulnerabilities for our platform, including framework patches. If a patch is available, we will apply it within a timely manner. If a framework is listed, we have it patched with the latest. If a framework version becomes unsupported, we work to remove the framework and push customers to a newer and secure framework version. Beyond that, let me know if you have any further questions or concerns.

Share via

Security vulnerability for PHP version 7.1.x, 7.2.x, 7.3.x in Azure Web app

1 answer

Your answer