On 29th Aug the Multi-State Information Sharing & Analytics Center (MS-ISAC) issued an alert related to numerous vulnerabilities that have been identified in the PHP programming language. As with any security alert this is serious news, especially as one of the exploits may lead to remote code execution. With the ability to execute malicious code on a server attackers can compromise both the server's integrity and the security of it's data.
The full alert can be read here on the MS-ISAC website.
In short if you are running a PHP application, such as Magento, then you need to take action to protect yourself.
As with any alert of this nature it is imperative to act fast. Leaving your servers exposed to the risk of attack when a new exploit surfaces is extremely dangerous. It is likely that many parties will now be actively seeking to use these exploits to compromise popular applications and frameworks built on PHP.
The first step you need to take is to identify all of your infrastructure that is affected. In this case any server which is running PHP could potentially be compromised. Draw up a list of your servers and identify which need attention. Once you have this list you can run through each server and confirm the currently installed PHP version. Don't forget there may be multiple FPM pools running with numerous different versions of PHP, so don't just check the PHP version on the command line.
Having completed this exercise you can now schedule a maintenance period to upgrade the version of PHP to the new patched version. The patched versions are as follows:
These are patch versions so shouldn't contain breaking changes, however as with any upgrade we always suggest that you perform the change on your development and staging environments first to test for any undesired side-effects.
As always if you need help in performing any of the above, please do get in touch. We are experts in working seamlessly alongside our clients to provide transparent support ensuring your sites always stay patched and secure.