BreadcrumbHomeResourcesBlog CVE-2023-3823: Overview and Mitigation Steps For PHP Applications October 19, 2023 CVE-2023-3823: Overview and Mitigation Steps for PHP ApplicationsPHP DevelopmentBy Yeshua HallCVE-2023-3823 is a high-severity PHP vulnerability that relates to the use of libmxl within PHP applications. In this blog we give an overview of the CVE, how it works, consequences of potential exploits, and how to mitigate this CVE on your PHP applications.Table of ContentsWhat Is CVE-2023-3823?Consequences of a CVE-2023-3823 ExploitCVE-2023-3823 Mitigation OptionsFinal ThoughtsTable of Contents1 - What Is CVE-2023-3823?2 - Consequences of a CVE-2023-3823 Exploit3 - CVE-2023-3823 Mitigation Options4 - Final ThoughtsBack to topWhat Is CVE-2023-3823?CVE-2023-3823 is a vulnerability that relates to PHP’s use of libxml. The XML functions provided by PHP’s XML extension rely on libxml’s global state to track configuration variables, including whether external entities are loaded.Unless the user explicitly changes it by calling a configuration change function, the state is assumed to be unchanged. This is the crux of the vulnerability. Because the state is global during a process, other PHP modules may also use libxml within the same process, change the state during the same process, and leave it in an unexpected state, such as allowing external entities to be loaded. This can lead to a situation where XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. Once enabled, this vulnerable state may persist in the same process across many requests, until the process is shut down or restarted.When Was CVE-2023-3823 Disclosed?CVE-2023-3823 was disclosed publicly by the PHP community on August 4th, 2023, and published by security communities less than a week later.How Does CVE-2023-3823 Work?Another module may use libxml and change its global configuration state, leave it changed, and lead to unexpected configurations, including allowing external entities to load. This could allow external XML to be parsed with external entities loaded, disclosing any local files accessible to PHP.Who Does CVE-2023-3823 Impact?Anyone running PHP that parses or interacts with XML documents.Back to topConsequences of a CVE-2023-3823 ExploitThe surface consequence of this exploit is that any local files accessible to PHP may be disclosed to a malicious party. That may not seem like a huge impact, but a savvy person could gather important information this way, including information concerning other vulnerabilities.Back to topCVE-2023-3823 Mitigation OptionsThe best mitigation is to receive a security patch. The PHP community has patched PHP 8.0, 8.1, and 8.2 with patches 30, 22, and 8 respectively. For those still on versions outside of community support, such as PHP 7.4, Zend by Perforce backports these patches for those versions. We had the fix for CVE-2023-3823 backported all the way back to PHP 7.2 by August 14th, 2023.There’s also a temporary but less secure way to mitigate this vulnerability by setting a custom external entity loader for your application, which does nothing but return null.Setting an External Entity LoaderSetting a custom external entity loader is fairly simple. One just has to call the function and pass it the custom function:libxml_set_external_entity_loader(function () { return null; }); Keep in mind that simply setting it to null leaves it as default, which does nothing to mitigate the issue. “What not to do” example of setting it to null:libxml_set_external_entity_loader(null); PHP 8.0.29 and BeforePlease be sure to upgrade to PHP 8.0.30 to receive the patch that mitigates this vulnerability.PHP 8.1.21 and BeforePlease be sure to upgrade to PHP 8.1.22 to receive the patch that mitigates this vulnerability.Zend 7.x VersionsIf you're using PHP 7.x versions, be sure to reach out to our team for information on our LTS options (which have backported patches for PHP 7.2, 7.3, 7.4 and 8.0). If you're already a ZendPHP customer, please be sure to upgrade your ZendPHP instances to receive the latest patch. You can keep up with our releases here. You’ll see that we patched CVE-2023-3823 in the August release notes.Back to topFinal ThoughtsFor teams using PHP, it's important to patch CVE-2023-3823, and other vulnerabilities as soon as you're able to. The longer you wait after public disclosure, the longer the window of opportunity for potential exploit. If you're using an end of life PHP version, make sure that you're either able to backport security patches in house (harder than it sounds) or ensure you have commercial long-term support that can provide those patches for you.As always, it's important to keep in mind the risks at hand, too. Not all CVEs are created equally, but high severity vulnerabilities like CVE-2023-3823 are important to keep an eye on. If you don't stay patched against these types of CVEs, you risk your company becoming the next headline. And, in the case of data breaches and exploits, not all publicity is good publicity.Get Support for Your EOL PHPZend offers patched EOL PHP builds via their PHP long-term support offering. Learn more about the versions we support, and how we provide patches by visiting our PHP LTS solutions page today.Explore LTS OptionsAdditional ResourcesResource - Zend PHP Security CenterWhite Paper - The Costs of Building PHP In-HouseWhite Paper - Planning Your Next PHP MigrationBlog - How to Assess and Prevent PHP VulnerabilitiesBlog - Everything You Need to Know About Maintaining PHP ComplianceBlog - The State of Wordpress PHP Support Back to top
Yeshua Hall Senior Solutions Architect, Perforce Software Yeshua Hall is the Senior Solutions Architect at Perforce Software. Yeshua is passionate about helping customers overcome complex technical challenges to achieve their team and business goals.
