Understanding and Mitigating PHP CVE-2022-31631

CVE-2022-31631 is a CVE impacting PDO SQLite in PHP. In this blog, we give an overview of CVE-2022-31631, including scope of impact, how it works, the impact of a successful exploit, and mitigation options teams should consider to prevent an exploit.

What Is CVE-2022-31631?

CVE-2022-31631 is a security vulnerability concerning PDO SQLite in PHP. It stems from CVE-2022-35737, which is a bug in SQLite that sometimes allows an array-bounds overflow in its C-API. 

CVE-2022-31631 was discovered in late 2022, just after the last community release of PHP 7.4, so for community editions of PHP, only PHP 8.0 and above have received a patch. 

Who Does CVE-2022-31631 Impact?

If you run a PHP version less than 8.0 and SQLite, then you’re at risk of impact from CVE-2022-31631. 

There are other factors that determine susceptibility to CVE-2022-31631, as well, including:

• Must be using an SQLite version 3.39.2 or greater
• Must have a large memory_limit, post_max_size, and/or other restriction configuration, due to the nature of this vulnerability

How Does CVE-2022-31631 Work? 

CVE-2022-31631 happens when PDO::quote() for PDO_SQLite is called with a massive string (think user-input without restriction). This can cause an uncaught overflow, which ends with PDO::quote() returning an unquoted string.

The Impact of a CVE-2022-31631 Exploit

PDO::quote() is used to prepare a query statement for use in a database call. One of the main uses of preparing a statement is to mitigate exploits. We use quotes and parameterization to limit the user input and number of calls they can make at once (usually one vetted & prepared statement per call).

The crux of the issue with a CVE-2022-31631 exploit is that if exploited properly, due to PDO::quote() returning an unquoted string, one could potentially take advantage of SQL injection to access data they should not have access to. In a worst-case scenario, this could lead to litigation after a data-leak of user information.

How to Mitigate CVE-2022-31631

The absolute best way to mitigate most PHP CVEs is to ensure your PHP application is always on the latest version of PHP. However, with the rapid release cycle of PHP and potential lack of developer resources, staying up to date on PHP versions can be a full-time job in and of itself and is sometimes unrealistic.

Another great way to mitigate CVEs, including CVE-2022-31631, is to use Zend’s Enterprise PHP LTS. With either Zend Server or ZendPHP in your PHP stack, you’ll receive backported CVE patches to PHP versions no longer supported by the community. At the time of publication for this blog, Zend is backporting CVE patches all the way back to PHP 7.2, which left community support in November of 2020.

Zend’s Enterprise PHP LTS guarantees you receive CVE patches at least 2 years after the PHP version has left community support, giving your team plenty of extra time to work on more, rather than being bogged down with upgrades most of the time.

Need Patches for Your EOL PHP?

Zend can help. Enjoy patches and bug fixes for your EOL PHP, all backed by expert support from our team of PHP experts.

See Full Details

Additional Resources

• Resource - Zend PHP Security Center
• Solution - Zend PHP Security and Consulting Services
• Blog - How to Assess and Prevent PHP Vulnerabilities
• Blog - Setting Your PHP 7.4 Migration Strategy
• Blog - PHP 7.4 EOL Is Here: Are Your Applications Secure?
• White Paper - The Costs of Building PHP In-House
• White Paper - Planning Your Next PHP Migration