Drupal 7 based Portal - PHP 7.3.15 security issues validations

immba28
Participant II

Hi there team !!

Need your suggestion and inputs. I recently upgraded PHP 7.3.12 to PHP 7.3.15 as part of some security vulnerability reported for our Drupal portal server(version 7).

I have received one more security vulnerability for PHP 7.3.15 and recommended to upgrade to PHP 7.3.16. Just to know,


1). whether these reported issues will have any impact on Drupal Portal (please find the attached screen shot).

2). And is this a common practise updating the PHP version of Drupal portal env ? As PHP comes with latest fixes very often.

Thanks for your help in advance!!!

PFA

—imran


vulnerability details below:

Synopsis

The version of PHP running on the remote web server is affected by multiple vulnerabilities.

Description

According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.16. It is, therefore, affected by the following vulnerabilities:

- An out of bounds read resulting in the use of an uninitialized value in exif (CVE-2020-7064)

- A stack buffer overflow in allows overwriting of a stack-allocated buffer with an overflown array from .rodata. (CVE-2020-7065)

- get_headers() silently truncates anything after a null byte in the URL it uses. An unauthenticated, remote attacker can exploit this to leak sensitive information or cause the web server to unexpectedly process attacker-controlled data. (CVE-2020-7066) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Upgrade to PHP version 7.3.16 or later.

Solved Solved
0 4 619
1 ACCEPTED SOLUTION

Yes, it's a common practice. You will need to monitor for Drupal and PHP updates and apply them in a timely manner.

In general, the security issues will affect your portal. I cannot comment on the specific CVE you cited here, but in general it is good hygiene to apply updates to avoid these problems , as quickly as is practical for your team.

View solution in original post

4 REPLIES 4

Yes, it's a common practice. You will need to monitor for Drupal and PHP updates and apply them in a timely manner.

In general, the security issues will affect your portal. I cannot comment on the specific CVE you cited here, but in general it is good hygiene to apply updates to avoid these problems , as quickly as is practical for your team.

Hi Dino! Thanks for your response!
I have a query with regards to validations post PHP upgrade.

Could you please let me know if we have to perform any specific steps to validate PHP compatibility. (Post upgrade). For your review, I have added steps below, which I followed last time.

What I did in last upgrade:


1. Taken Drupal backups - File System level and MySQL dumps.

2. Upgraded PHP.

3. Verified the accessibility of portal, confirmed status report and updated PHP version information there. Validated critical and errors logs. Made sure traffic is following by reviewing Apache error logs and Drupal Access logs.



thanks,

Imran

Your process looks great Mohammad. The only thing I can think of besides this is putting the database, code, and files from prod on a test instance that can be upgraded as a test before touching production.

Thanks Novak! I shall try this approach.