Published on: 28 October 2019
A vulnerability has been found in the PHP FastCGI Process Manager (PHP-FPM) for NGINX HTTP servers. A remote attacker may send a specially crafted URL to an affected system to exploit the vulnerability.
Please note that PHP version 7.1 will reach its end-of-life on 1.12.2019 and no security updates will be provided after that. In addition, support for older PHP versions (including version 7.0 and 5.x) were ceased. Users should arrange upgrading the PHP to the latest version or migrating to other supported technology.
The following PHP versions installed on NGINX HTTP servers are affected:
Successful exploitation could lead to arbitrary code execution on an affected system.
PHP has released new versions to address the issue and they can be downloaded at the following URLs:
Administrators of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.