Innovate faster and cut risk with PHP experts from Zend Services.
See How Zend Helps Leading Hosting Providers Keep Their Managed Sites on Secure PHP
Learn PHP from PHP experts with free, on-demand, and instructor led courses.
Submit support requests and browse self-service resources.
CVE-2022-31631 is a CVE impacting PDO SQLite in PHP. In this blog, we give an overview of CVE-2022-31631, including scope of impact, how it works, the impact of a successful exploit, and mitigation options teams should consider to prevent an exploit.
CVE-2022-31631 is a security vulnerability concerning PDO SQLite in PHP. It stems from CVE-2022-35737, which is a bug in SQLite that sometimes allows an array-bounds overflow in its C-API.
CVE-2022-31631 was discovered in late 2022, just after the last community release of PHP 7.4, so for community editions of PHP, only PHP 8.0 and above have received a patch.
If you run a PHP version less than 8.0 and SQLite, then you’re at risk of impact from CVE-2022-31631.
There are other factors that determine susceptibility to CVE-2022-31631, as well, including:
CVE-2022-31631 happens when PDO::quote() for PDO_SQLite is called with a massive string (think user-input without restriction). This can cause an uncaught overflow, which ends with PDO::quote() returning an unquoted string.
PDO::quote() is used to prepare a query statement for use in a database call. One of the main uses of preparing a statement is to mitigate exploits. We use quotes and parameterization to limit the user input and number of calls they can make at once (usually one vetted & prepared statement per call).
The crux of the issue with a CVE-2022-31631 exploit is that if exploited properly, due to PDO::quote() returning an unquoted string, one could potentially take advantage of SQL injection to access data they should not have access to. In a worst-case scenario, this could lead to litigation after a data-leak of user information.
The absolute best way to mitigate most PHP CVEs is to ensure your PHP application is always on the latest version of PHP. However, with the rapid release cycle of PHP and potential lack of developer resources, staying up to date on PHP versions can be a full-time job in and of itself and is sometimes unrealistic.
Another great way to mitigate CVEs, including CVE-2022-31631, is to use Zend’s Enterprise PHP LTS. With either Zend Server or ZendPHP in your PHP stack, you’ll receive backported CVE patches to PHP versions no longer supported by the community. At the time of publication for this blog, Zend is backporting CVE patches all the way back to PHP 7.2, which left community support in November of 2020.
Zend’s Enterprise PHP LTS guarantees you receive CVE patches at least 2 years after the PHP version has left community support, giving your team plenty of extra time to work on more, rather than being bogged down with upgrades most of the time.
Need Patches for Your EOL PHP?Zend can help. Enjoy patches and bug fixes for your EOL PHP, all backed by expert support from our team of PHP experts.See Full Details
Zend can help. Enjoy patches and bug fixes for your EOL PHP, all backed by expert support from our team of PHP experts.
See Full Details
Senior Solutions Architect, Perforce Software
Yeshua Hall is the Senior Solutions Architect at Perforce Software. Yeshua is passionate about helping customers overcome complex technical challenges to achieve their team and business goals.