BreadcrumbHomeResourcesBlog PHP 7.4 EOL Is Here: Are Your Applications Secure? November 18, 2024 PHP 7.4 EOL Is Here: Are Your Applications Secure?PHP DevelopmentBy Matthew Weier O’PhinneyPHP 7.4 end of life (EOL) arrived on November 28, 2022. If your team is still running applications using PHP 7.4, then pursuing options to keep apps secure, compliant, and supported is critical. Migrating to a supported PHP version or establishing long-term support through a third party is essential to maintain application security.To assist you as you build your upgrade plan, this blog answers frequently asked questions about PHP 7.4 end of life, walks through what PHP 7.4 EOL means for your application security, explores the consequences of continuing to use unsupported PHP, and discusses how to find the best migration or upgrade path for your team.Get Support for PHP 7.4Zend Long Term Support keeps your apps secure through 2026 with patched PHP 7.4 builds. Upgrade on your schedule, maintain compliance standards, and access 24/7/365 support.Explore lts Options Talk to an ExpertTable of ContentsPHP 7.4 EOL: Frequently Asked QuestionsPHP 7.4 Vulnerabilities and Security RisksPHP 7.4 EOL: Additional Consequences of Using End of Life PHPHow to Create a PHP 7.4 EOL StrategyFinal ThoughtsTable of Contents1 - PHP 7.4 EOL: Frequently Asked Questions2 - PHP 7.4 Vulnerabilities and Security Risks3 - PHP 7.4 EOL: Additional Consequences of Using End of Life PHP4 - How to Create a PHP 7.4 EOL Strategy5 - Final ThoughtsBack to topPHP 7.4 EOL: Frequently Asked QuestionsWhen Is the PHP 7.4 End of Life Date?PHP 7.4 reached end of life on November 28, 2022.How Long Is PHP 7.4 Supported?PHP 7.4 is no longer supported by the community. However, through Zend PHP LTS services, PHP 7.4 can be supported through 2026.How Many Teams Are Still Using PHP 7.4 EOL?According to the 2024 PHP Landscape Report, 47.73% of PHP teams are still using PHP 7.4 in their applications.Is PHP 7.4 Safe?PHP 7.4, when used unsupported, is no longer secure. However, by working with a third party LTS provider like Zend, you can secure your PHP applications through 2026.Should I Update PHP 7.4 to 8?Yes, you should update PHP 7.4 to a supported version. For more information on planning an update from PHP 7.4 to 8 or another supported PHP version, visit our in-depth guide, Setting Your PHP 7.4 Migration Strategy. On-Demand Webinar: Are You Ready for PHP 7.4 EOL?Join me for an on-demand discussion surrounding the impacts of PHP 7.4 EOL and exploring upgrade and migration solutions to keep your applications secure.Back to topPHP 7.4 Vulnerabilities and Security RisksAfter security support from the community ends, PHP versions enter end of life. This means that they do not receive security patches, bug fixes, or other updates from the community. As bugs and vulnerabilities accumulate, teams using end of life PHP versions expose their applications to compounding risks. This is the case for PHP 7.4. Known PHP 7.4 Security VulnerabilitiesAs noted above, the accumulation of unpatched vulnerabilities adds an increasing amount of security risk to the application. If left unmitigated, these vulnerabilities can and will be exploited. Additionally, the longer a PHP version is EOL, the more Common Vulnerabilities and Exposures (CVEs) will be identified. For instance, in 2024 alone, several PHP 7.4 vulnerabilities have been discovered.CVESeverityTypeSubjectDateAffected PHP VersionsCVE-2024-1874CriticalRemote Code ExecutionCommand injection via array-ish $command parameter of proc_open even if`bypass_shell option enabled on Windows2024-02-257.4.0 - 7.4.33CVE-2024-4577CriticalRemote Code Executionphp: Argument Injection in PHP-CGI2024-06-07 7.4.0-7.4.33CVE-2024-2408ModerateInformation Disclosurephp: potential exposure to Marvin attack via unsafe implementation of RSA decryption API2024-06-077.4.0-7.4.33CVE-2024-8926HighRemote Code Executionphp: PHP CGI Parameter Injection Vulnerability (CVE-2024-4577 bypass)2024-10-077.4.0-7.4.33CVE-2024-8927HighRemote Code Executionphp: cgi.force_redirect configuration is bypassable due to the environment variable collision2024-10-077.4.0-7.4.33CVE-2024-8925ModerateCross-Site Request Forgeryphp: Erroneous parsing of multipart form data2024-10-077.4.0-7.4.33This list is non-exhaustive, and it represents only a snapshot of ongoing PHP 7.4 vulnerabilities now that the version has reached end of life. If applications using PHP 7.4 do not upgrade to a supported version, or if they continue to use PHP 7.4 without third-party long term support, they will be left vulnerable to these and yet-to-be identified PHP 7.4 security vulnerabilities.Stay Up to Date on the Latest PHP 7.4 VulnerabilitiesThe Zend Security Center is designed to help developers identify and mitigate PHP vulnerabilities before they become problems, keeping your PHP application secure and compliant.Security Center Explore Security SolutionsBack to topPHP 7.4 EOL: Additional Consequences of Using End of Life PHPMost teams are well acquainted with the consequences of unsupported end of life technologies. Every year, new vulnerabilities are discovered within unsupported technologies – with high-profile exploits of these vulnerabilities making their way to front pages around the world.But security isn’t the only consequence of unsupported PHP 7.4 applications. Teams working with EOL PHP versions also expose their applications to decreased performance, reduced application stability, and the lost-opportunity cost of maintaining an EOL PHP version when they could be helping to further the goals of the business.PerformanceOne of the often overlooked aspects of using PHP 7.4 end of life is performance. New versions of PHP regularly add new features and improvements to the language that can reduce development, hosting, or hardware costs for the application. While this might seem like a lesser consideration, these costs can add up quickly – especially when deploying a large number of PHP applications, or applications that receive large amounts of traffic.Application StabilityIf applications aren’t regularly updated to new technology versions, there can be a growing risk of application downtime. As an example, an application running an EOL PHP version might be using a library that has since been deprecated. A bug within that library could cause the application to crash. Now imagine enterprise applications with dozens of un-updated libraries, or libraries that have been updated and cause issues with the EOL PHP application.Opportunity CostsLastly, there’s the danger of lost opportunity cost. Running an EOL PHP version means spending time on things like building or backporting patches for security issues and bugs. For supported PHP versions, this isn't an issue, and allows teams to better focus on improving the security, performance, or functionality of your application.Backporting bug fixes and security patches isn't the only time-consuming aspect of maintaining an EOL PHP application, either. Profiling and improving performance on an application running on an EOL PHP version can be time intensive. But even the best performance improvements on that application can be overshadowed by the performance improvements gained by migrating to a new PHP version. That's not to mention new language features in newer versions that can solve a variety of problems for businesses. The takeaway from this is that there are a number of hidden costs of running EOL PHP applications that can directly or indirectly impact the health of your application and business, and the time committed to things like backporting patches can lead to lost opportunities for improving your application and business.Back to topHow to Create a PHP 7.4 EOL StrategyTo avoid the risks associated with unsupported PHP 7.4 EOL versions, teams need to regularly plan and execute PHP upgrades and migrations. PHP 7.4 EOL is no exception.Upgrading Your ApplicationsFor teams with a limited number of applications or less complex codebases, upgrading or migrating from PHP 7.4 may be straightforward – depending on the changes between the origin and destination versions. For others, planning migrations for many applications (or particularly complex applications), can be a much more time-intensive exercise.One thing to keep in mind for teams tasked with migrating PHP 7.4 is that this is the final PHP 7 minor release, meaning that there is no guarantee that the destination PHP version will be backwards compatible. More often than not, these major versions are only released when changes there are breaking changes to existing APIs that are exposed to consumers.For teams planning PHP migrations or upgrades, having a consistently audited and profiled set of applications is key to understanding the impact of these major version upgrades on your code base, the scope of a given migration for your team, and the potential impact to the overarching business.Self-SupportSelf-support is another option for teams working with EOL PHP 7.4 applications. However, teams that choose this route need to understand the impact this can have on their business. As noted above, developers who are busy developing patches for CVEs are developers who aren’t working on developing new applications, improving existing applications, or working on all the things that will make the next migration easier. While self-support may be a valid option for larger enterprises with resources dedicated to developing patches and fixes in house, it’s not a cost-effective option for 99% of companies.Finding Long-Term SupportFor teams that, for one reason or another, can’t migrate before PHP end of life hits, finding a reliable source of security patches is key to maintaining the stability and security of their given PHP applications. Luckily, there are third-party options for PHP long-term support that can help teams to keep their EOL PHP applications supported, such as Zend PHP LTS.PHP 7.4 EOL Timeline With Zend PHP LTSPHP Version Release Date Active Support End Date End of Life / Security Support End Date Zend PHP 7.4 LTS End Date 7.4 November 28, 2019 November 28, 2021 November 28, 2022 December 2026 Zend PHP LTS options are built to support your applications, offering two years of additional security support after community support ends, as with PHP 7.4. We help you to upgrade on your schedule while saving you money on refactoring, ensuring your application maintains compliance, and offering full support services.Back to topFinal ThoughtsMigrating or upgrading your EOL PHP is crucial to avoiding organizational risk – and PHP 7.4 is no different. As you and your team build your migration and upgrade strategy, make sure to contact Zend. Our PHP experts are at your disposal, and we're ready to help you make the move from PHP 7.4 to supported versions quickly, easily, and with minimal delay.Secure Your PHP Applications With LTS and Migration ServicesReady to plan your migration and support strategy for PHP 7.4 applications? Zend is here to help. Check out our LTS options, and explore our migration services.PHP 7.4 LTS Options PHP 7.4 Migration ServicesThis blog was originally published on January 30, 2023, and has been updated to include new information.Additional Resources White Paper - The Hidden Costs of PHP UpgradesWhite Paper - Planning Your Next PHP MigrationCase Study - mittwald Managed Hosting Customers Stay Secure With PHP LTSCase Study - Bark.com Modernizes Mission-Critical PHP ApplicationBlog - How to Assess and Prevent PHP VulnerabilitiesBlog - Setting Your PHP 7.4 Migration StrategyBlog - How to Upgrade PHP Blog - PHP Migrations: When Is Migrating the Right Choice?Back to top
Matthew Weier O’Phinney Senior Product Manager, OpenLogic and Zend by Perforce Matthew began developing on Zend Framework (ZF) before its first public release, and led the project for Zend from 2009 through 2019. He is a founding member of the PHP Framework Interop Group (PHP-FIG), which creates and promotes standards for the PHP ecosystem — and is serving his second elected term on the PHP-FIG Core Committee.
