Blog
June 29, 2023
CVE-2023-0662, a critical vulnerability found in PHP 8.x, exposes unpatched PHP applications to information security, data modification, and denial of service attacks -- with the potential cost of a successful exploit reaching well into the millions.
In this blog, we dive in on CVE-2023-0662, how it works, who it impacts, the consequences of a successful exploit, and mitigation steps for impacted teams.
What Is CVE-2023-0662?
CVE-2023-0662 is a critical vulnerability found in PHP 8.x versions which also affects previous versions of PHP that are out of community support. If successfully exploited, this vulnerability has the potential to disclose sensitive information, modify data, and/or cause Denial of Service (DoS).
How Does CVE-2023-0662 Work?
Utilizing the way PHP parses a request body, any unauthenticated attacker could abuse HTTP requests to overload the server, consuming large amounts of resources as well as causing an excessive number of log entries.
Who Does CVE-2023-0662 Impact?
Back to topAnyone using PHP 5.x, 7.x (not including ZendPHP LTS and its latest patches), 8.0.x before 8.0.28, 8.1.x before 8.1.16, and 8.2.x before 8.2.3 are at risk of being impacted by CVE-2023-0662. As mentioned, those using ZendPHP LTS 7.x versions and the latest patch need not worry about this vulnerability, as Zend has provided a patch for those users.
The Consequences of a CVE-2023-0662 Exploit
The main consequence of CVE-2023-0662 is the overloading of server resources, which can lead to DoS, bringing the server down. When successfully taking advantage of this vulnerability, an attacker can use HTTP requests to cause PHP request parsers to use large amounts of server resources and produce excessive logs.
Depending on the situation, a DoS attack like this can cost companies well into six figures in damages — not to mention the potential damage to reputation that can impact business down the line.
Back to topCVE-2023-0662 Mitigation Options
If your team is currently running a sub-version of PHP 8.x, then they can upgrade to the latest patch of that sub-version to mitigate the issue. For example, if you’re currently running 8.1.x, simply upgrade to 8.1.16 to get the latest patch that mitigates CVE-2023-0662.
For those who are still running a sub-version of 7.x (sans 7.1) and have some blocker that keeps them from upgrading to 8.x, Zend by Perforce currently provides Long Term Support for PHP 7.2, 7.3, 7.4, and 8.0. We have already backported and shipped the patch to our customers. If you’re a ZendPHP or Zend Server customer, simply upgrade to the latest patch of your relevant 7.x sub-version, and you’re good to go.
Need to Patch CVE-2023-0662?
Explore our LTS options, then contact us to get started.
Additional Resources
- 101 Guide - PHP Security
- Resource - Zend PHP Security Center
- White Paper - The Costs of Building PHP In-House
- White Paper - Planning Your Next PHP Migration
- Blog - How to Assess and Prevent PHP Vulnerabilities
- Blog - Everything You Need to Know About Maintaining PHP Compliance
- Blog - The State of Wordpress PHP Support