decorative image for blog on cve-2023-0662
June 29, 2023

Mitigating CVE-2023-0662

PHP Development

CVE-2023-0662, a critical vulnerability found in PHP 8.x, exposes unpatched PHP applications to information security, data modification, and denial of service attacks -- with the potential cost of a successful exploit reaching well into the millions.

In this blog, we dive in on CVE-2023-0662, how it works, who it impacts, the consequences of a successful exploit, and mitigation steps for impacted teams.

Back to top

What Is CVE-2023-0662?

CVE-2023-0662 is a critical vulnerability found in PHP 8.x versions which also affects previous versions of PHP that are out of community support. If successfully exploited, this vulnerability has the potential to disclose sensitive information, modify data, and/or cause Denial of Service (DoS).

How Does CVE-2023-0662 Work?

Utilizing the way PHP parses a request body, any unauthenticated attacker could abuse HTTP requests to overload the server, consuming large amounts of resources as well as causing an excessive number of log entries.

Who Does CVE-2023-0662 Impact?

Anyone using PHP 5.x, 7.x (not including ZendPHP LTS and its latest patches), 8.0.x before 8.0.28, 8.1.x before 8.1.16, and 8.2.x before 8.2.3 are at risk of being impacted by CVE-2023-0662. As mentioned, those using ZendPHP LTS 7.x versions and the latest patch need not worry about this vulnerability, as Zend has provided a patch for those users.

Back to top

The Consequences of a CVE-2023-0662 Exploit

The main consequence of CVE-2023-0662 is the overloading of server resources, which can lead to DoS, bringing the server down. When successfully taking advantage of this vulnerability, an attacker can use HTTP requests to cause PHP request parsers to use large amounts of server resources and produce excessive logs.

Depending on the situation, a DoS attack like this can cost companies well into six figures in damages — not to mention the potential damage to reputation that can impact business down the line.

Back to top

CVE-2023-0662 Mitigation Options

If your team is currently running a sub-version of PHP 8.x, then they can upgrade to the latest patch of that sub-version to mitigate the issue. For example, if you’re currently running 8.1.x, simply upgrade to 8.1.16 to get the latest patch that mitigates CVE-2023-0662.

For those who are still running a sub-version of 7.x (sans 7.1) and have some blocker that keeps them from upgrading to 8.x, Zend by Perforce currently provides Long Term Support for PHP 7.2, 7.3, 7.4, and 8.0. We have already backported and shipped the patch to our customers. If you’re a ZendPHP or Zend Server customer, simply upgrade to the latest patch of your relevant 7.x sub-version, and you’re good to go.

Need to Patch CVE-2023-0662?

Explore our LTS options, then contact us to get started.

See LTS Options  Contact Us

Additional Resources

Back to top