CVE-2023-0662: A remote unauthenticated DoS vulnerability in PHP

CVE-2023-0662

PHP released this week versions 8.0.28, 8.1.16, and 8.2.3 of the scripting language. In addition to some functionality bugs, the latest releases address a series of security-related flaws.

According to the PHP development team, a total of three vulnerabilities have been fixed in PHP 8.0.28, 8.1.16, and 8.2.3.

One of the flaws, tracked as CVE-2023-0662 and classified as “high,” has been described as a DoS vulnerability when parsing the multipart request body. In a vulnerable PHP version, the excessive number of parts in HTTP form upload can cause high resource consumption and an excessive number of log entries. This can cause a denial of service on the affected server by exhausting CPU resources or disk space.

CVE-2023-0662

“The default/production configuration is affected by this vulnerability. The large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow down the processing of legitimate user requests. The large volume of warning messages can wear down the disk and fill it up. Complete DoS is achievable by sending many concurrent multipart requests in a loop,” reads the PHP advisory.

“PHP parses the request body before invoking any application scripts. This vulnerability affects all PHP websites that accept POST request bodies (post_max_size set to a value greater than zero, the default value is 8MB).”

As mitigation for fixing CVE-2023-0662, users can decrease post_max_size close to zero.

The second vulnerability affecting PHP is related to the BCrypt function. The low-severity security bug (tracked as CVE-2023-0567), which is caused by a malformatted BCrypt hashes flaw, could “trigger a buffer overread and may erroneously validate any password as valid.”

Another vulnerability fixed by PHP has been assigned the CVE identifier CVE-2023-0568 (CVSS score of 7.5). This flaw may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.

PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16, and 8.2.X before 8.2.3 users are advised to update their installations as soon as possible.