BreadcrumbHomeResourcesBlog Mitigating CVE-2023-0662 June 29, 2023 Mitigating CVE-2023-0662PHP DevelopmentBy Yeshua HallCVE-2023-0662, a critical vulnerability found in PHP 8.x, exposes unpatched PHP applications to information security, data modification, and denial of service attacks -- with the potential cost of a successful exploit reaching well into the millions.In this blog, we dive in on CVE-2023-0662, how it works, who it impacts, the consequences of a successful exploit, and mitigation steps for impacted teams.Table of ContentsWhat Is CVE-2023-0662?The Consequences of a CVE-2023-0662 ExploitCVE-2023-0662 Mitigation OptionsTable of Contents1 - What Is CVE-2023-0662?2 - The Consequences of a CVE-2023-0662 Exploit3 - CVE-2023-0662 Mitigation OptionsBack to topWhat Is CVE-2023-0662?CVE-2023-0662 is a critical vulnerability found in PHP 8.x versions which also affects previous versions of PHP that are out of community support. If successfully exploited, this vulnerability has the potential to disclose sensitive information, modify data, and/or cause Denial of Service (DoS).How Does CVE-2023-0662 Work?Utilizing the way PHP parses a request body, any unauthenticated attacker could abuse HTTP requests to overload the server, consuming large amounts of resources as well as causing an excessive number of log entries.Who Does CVE-2023-0662 Impact?Anyone using PHP 5.x, 7.x (not including ZendPHP LTS and its latest patches), 8.0.x before 8.0.28, 8.1.x before 8.1.16, and 8.2.x before 8.2.3 are at risk of being impacted by CVE-2023-0662. As mentioned, those using ZendPHP LTS 7.x versions and the latest patch need not worry about this vulnerability, as Zend has provided a patch for those users.Back to topThe Consequences of a CVE-2023-0662 ExploitThe main consequence of CVE-2023-0662 is the overloading of server resources, which can lead to DoS, bringing the server down. When successfully taking advantage of this vulnerability, an attacker can use HTTP requests to cause PHP request parsers to use large amounts of server resources and produce excessive logs.Depending on the situation, a DoS attack like this can cost companies well into six figures in damages — not to mention the potential damage to reputation that can impact business down the line.Back to topCVE-2023-0662 Mitigation OptionsIf your team is currently running a sub-version of PHP 8.x, then they can upgrade to the latest patch of that sub-version to mitigate the issue. For example, if you’re currently running 8.1.x, simply upgrade to 8.1.16 to get the latest patch that mitigates CVE-2023-0662.For those who are still running a sub-version of 7.x (sans 7.1) and have some blocker that keeps them from upgrading to 8.x, Zend by Perforce currently provides Long Term Support for PHP 7.2, 7.3, 7.4, and 8.0. We have already backported and shipped the patch to our customers. If you’re a ZendPHP or Zend Server customer, simply upgrade to the latest patch of your relevant 7.x sub-version, and you’re good to go.Need to Patch CVE-2023-0662?Explore our LTS options, then contact us to get started.See LTS Options Contact UsAdditional Resources101 Guide - PHP SecurityResource - Zend PHP Security CenterWhite Paper - The Costs of Building PHP In-HouseWhite Paper - Planning Your Next PHP MigrationBlog - How to Assess and Prevent PHP VulnerabilitiesBlog - Everything You Need to Know About Maintaining PHP ComplianceBlog - The State of Wordpress PHP SupportBack to top
Yeshua Hall Senior Solutions Architect, Zend by Perforce Yeshua Hall is the Senior Solutions Architect at Perforce Software. Yeshua is passionate about helping customers overcome complex technical challenges to achieve their team and business goals.