Cidram: PHP vulnerability warning, false-positive?

Created on 21 Sep 2018  路  5Comments  路  Source: CIDRAM/CIDRAM

I'm using PHP 7.2.8 Apache + PHP CLI both.
CIDRAM front-end started showing me this error - https://s.put.re/wKNJAfy.png

But as I checked from cvedetails page, I'm not seeing any vuln on 7.2.8

Could be false-positive? 馃

Question Resolved

All 5 comments

Describing it as "severely" vulnerable probably isn't so appropriate, seeing as it's definitely not a "severe" vulnerability, but there has been a fix to a vulnerability recently documented in the PHP's changelogs (#76582) which affects all but the latest versioned releases on all currently supported branches, and which prompted the most recent warning. It does have a CVE assigned, but it's quite new, and AFAIK, that CVE hasn't had any score (CVS) assigned to it by any authorities yet.

The "severe" label is due to that the code that I'd implemented into CIDRAM to notify users via the front-end when their current PHP version has known vulnerabilities doesn't currently distinguish between low-level vulnerabilities and more severe vulnerabilities (and just produces the same notification if it detects that the currently used PHP version has known vulnerabilities, regardless of severity).

Not exactly a false positive, but.. this particular vulnerability is actually relatively obscure, can't actually be replicated across all stacks (it has been confirmed that it can be replicated via Apache, but it can't be replicated via Nginx or other popular web servers AFAIK), and updating isn't super urgent in this case, I think.

I also include a summary of currently safe/unsafe PHP here, which might be useful: Vulnerability Charts.

updating isn't super urgent in this case, I think.

Okay, then.. 馃憤

That all said, good to always keep an eye on these warnings of course, as there often are quite severe vulnerabilities found, which will prompt warnings like these. Just that in this particular case.. it's not really so bad at all, but the code for producing the warnings doesn't consider severity currently. In any case though.. I promise that I'm not trying to subversively use fear tactics and such to force people into updating, lol. "^.^

But yeah. When in doubt, feel free to ask, and I can clarify the reason why whatever warnings are put in place, and whether it's something really concerning or just relatively minor. :-)

@Maikuolan I always get false warnings on my "work" server, because it runs on Debian stable which backport the security patches rather than change to a newer package version mid-OS-version-release.
Anyone else also using a *nix server with an OS that uses this approach will have unjustified warnings as well. Just mention it as info to build some knowledge as I really don't care myself due to the fact that I get the needed security updates and it isn't online. ;)

Cool cool.. And good to know. Not quite sure how I could approach backports at the moment, as the checks currently just work from version numbers alone, but it might be something I'll need to rethink somehow at some point. Anyway, thanks for sharing. :-)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

Dibbyo456 picture Dibbyo456  路  6Comments

Dibbyo456 picture Dibbyo456  路  7Comments

gizmecano picture gizmecano  路  6Comments

100percentlunarboy picture 100percentlunarboy  路  6Comments

Maikuolan picture Maikuolan  路  5Comments