Asustor Security Advisory Resolved AS-2022-010: PHP
Concerning PHP versions in use on NAS OS
This is a Press Release edited by StorageNewsletter.com on August 15, 2022 at 2:01 pmAsustor, Inc. had published a security advisory concerning PHP versions in use on its NAS.
| Severity | Status |
| Important | Resolved |
Statement
The PHP Group announced multiple vulnerabilities that have been fixed in the latest release of PHP 7.4, 8.0 and 8.1.
CVE-2022-31625 and CVE-2022-31626 will affect Asustor products with PHP 7.4 or PHP 8.1 installed on ADM 4.1.
- Updates with PHP 7.4.30 and PHP 8.1.7 has been released on App Central for ADM 4.1.
Affected products
|
Product |
Severity |
Fixed Release Availability |
|---|---|---|
|
ADM 4.1 |
Important |
Upgrade PHP 7.4 to 7.4.30.r9 or above |
Detail
-
-
Severity: Critical
-
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service.
-
-
-
Severity: High
-
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability.
-
Reference
Revision
|
Revision |
Date |
Description |
|---|---|---|
|
1 |
2022-07-21 |
Initial public release. |
|
2 |
2022-08-03 |
Update PHP 7.4 to 7.4.30.r9 and PHP 8.1 to 8.1.7.r6 for fixing the issues on ADM 4.1. |
Subscribe to our free daily newsletter
