Specific PHP Versions Vulnerability May Allow Malicious User Execution

Solution Properties

Solution ID:

241403060185352

Last Modified Date:

Mon Aug 26 13:36:27 EDT 2024

Taxonomy Path:

Security Advisories//Advisories

Author:

hvuser

Specific PHP Versions Vulnerability May Allow Malicious User Execution

Content

Priority: ● Critical

Status: Monitoring

First Published: 01 July 2024

Advisory Version: [1.0]

References: CVE-2024-4577

Summary

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may misinterpret those characters as PHP options, which may allow a malicious user to pass options to PHP binary being run, and thus reveal the source code of scripts, run arbitrary PHP code on the server, etc.

Affected Products

Vulnerable Products

Hitachi Vantara is currently investigating its product lines to determine if any are affected by this vulnerability. If any products or solutions are found to be impacted, they will be indicated in this section, in subsequent updates to this advisory, along with information regarding fixed release versions (if such information is available at the time.) Likewise, any products or solutions that have been confirmed not to be affected by the given vulnerability will be listed in the section below.

Products Confirmed Not Vulnerable

* As this is an ongoing investigation across all Hitachi Vantara product lines, please note that products may be reclassified as vulnerable as they continue to be evaluated for risk as additional information about these vulnerabilities are released.

Product	Notes
Content Products
Content Platform	CVE-2024-4577: Not vulnerable. Affected components not used
Content Platform S Series	CVE-2024-4577: Not vulnerable. Affected components not used
HCP for Cloud Scale	CVE-2024-4577: Not vulnerable. Affected components not used
Content Intelligence	CVE-2024-4577: Not vulnerable. Affected components not used
Content Software for File	CVE-2024-4577: Not vulnerable. Affected components not used
Data Ingestor	CVE-2024-4577: Not vulnerable. Affected components not used
Content Platform Anywhere	CVE-2024-4577: Not vulnerable. Affected components not used
Content Platform Anywhere Enterprise	CVE-2024-4577: Not vulnerable. Affected components not used
Content Platform Gateway	CVE-2024-4577: Not vulnerable. Affected components not used

Recommended Actions

Please continue to check this Security Advisory, as new information will be added to it as it becomes available.

If any of the information presented above remains unclear, please contact the Hitachi Vantara Global Support Center, or your Vantara-authorized service and support provider.

The information contained herein is for informational purposes only. It is not intended as a guaranty or warranty about Hitachi Vantara’s products, including any guaranty or warranty that any product cannot be exploited by third parties. All product warranties and obligations to a customer must be specified in a mutually acceptable and executed contract between the parties.

Attachments

Service Partner Notes

Employee Notes

Support Center Notes

CXone Metadata

Tags: CVE,pagetype:knowledgearticle,article:cve,CVE-2024-4577,PHP

PageID: 185352