Detections
Analytics

TencentOS Server 3: php:7.4 (TSSA-2024:1123)

high Nessus Plugin ID 239081

Synopsis

The remote TencentOS Server 3 host is missing one or more security updates.

Description

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:1123 advisory.

 Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:

 CVE-2023-0567:
 In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, password_verify() function may accept some invalid Blowfish hashes as valid. If such invalid hash ever ends up in the password database, it may lead to an application allowing any password for this entry as valid.



 CVE-2023-0568:
 In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, core path resolution function allocate buffer one byte too small. When resolving paths with lengths close to system MAXPATHLEN setting, this may lead to the byte after the allocated buffer being overwritten with NUL value, which might lead to unauthorized data access or modification.

 CVE-2023-3247:
 In PHP versions 8.0.* before 8.0.29, 8.1.* before 8.1.20, 8.2.* before 8.2.7 when using SOAP HTTP Digest Authentication, random value generator was not checked for failure, and was using narrower range of values than it should have. In case of random generator failure, it could lead to a disclosure of 31 bits of uninitialized memory from the client to the server, and it also made easier to a malicious server to guess the client's nonce.



 CVE-2023-3823:
 In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 various XML functions rely on libxml global state to track configuration variables, like whether external entities are loaded.
 This state is assumed to be unchanged unless the user explicitly changes it by calling appropriate function. However, since the state is process-global, other modules - such asImageMagick - may also use this library within the same process, and change that global state for their internal purposes, and leave it in a state where external entities loading is enabled. This can lead to the situation where external XML is parsed with external entities loaded, which can lead to disclosure of any local files accessible to PHP. This vulnerable state may persist in the same process across many requests, until the process is shut down.



 CVE-2023-3824:
 In PHP version 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8, when loading phar file, while reading PHAR directory entries, insufficient length checking may lead to a stack buffer overflow, leading potentially to memory corruption or RCE.



 CVE-2024-2756:
 Due to an incomplete fix to CVE-2022-31629 https://github.com/advisories/GHSA-c43m-486j-j32p , network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a
 __Host-or __Secure-cookie by PHP applications.


 CVE-2024-3096:
 In PHP version 8.1.* before 8.1.28, 8.2.* before 8.2.18, 8.3.* before 8.3.5, ifa password stored with password_hash() starts with a null byte (\x00), testing a blank string as the password via password_verify() will incorrectly return true.



 CVE-2024-5458:
 In PHP versions8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, due to a code logic error, filtering functions such as filter_var when validating URLs(FILTER_VALIDATE_URL) for certain types of URLs the function will result in invalid user information (username + password part of URLs) being treated as valid user information. This may lead to the downstream code accepting invalid URLs as valid and parsing them incorrectly.

 CVE-2024-8925:
 In PHP versions8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, erroneous parsing of multipart form data contained in an HTTP POST request could lead to legitimate data not being processed.
 This could lead to malicious attacker able to control part of the submitted data being able to exclude portion of other data, potentially leading to erroneous application behavior.

 CVE-2024-8927:
 In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12,HTTP_REDIRECT_STATUS variable is used to check whether or not CGI binary is being run by the HTTP server. However, in certain scenarios, the content of this variable can be controlled by the request submitter via HTTP headers, which can lead tocgi.force_redirect option not being correctly applied. In certain configurations this may lead to arbitrary file inclusion in PHP.

 CVE-2024-9026:
 In PHP versions 8.1.* before 8.1.30, 8.2.* before 8.2.24, 8.3.* before 8.3.12, when using PHP-FPM SAPI and it isconfigured to catch workers output through catch_workers_output = yes,it may be possible to pollute the final log orremove up to 4 characters from the log messages by manipulating log message content.
 Additionally, ifPHP-FPM is configured to use syslog output, it may be possible to further remove log data using the same vulnerability.

Tenable has extracted the preceding description block directly from the Tencent Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://mirrors.tencent.com/tlinux/errata/tssa-20241123.xml

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0567

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0568

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3247

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3823

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3824

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-2756

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3096

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-5458

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8925

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8927

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9026

Plugin Details

Severity: High

ID: 239081

File Name: tencentos_TSSA_2024_1123.nasl

Version: 1.1

Type: local

Published: 6/16/2025

Updated: 6/16/2025

Supported Sensors: Nessus

Vulnerability Information

CPE: p-cpe:/a:tencent:tencentos_server:libzip, p-cpe:/a:tencent:tencentos_server:php, p-cpe:/a:tencent:tencentos_server:php-pecl-zip, p-cpe:/a:tencent:tencentos_server:php-pecl-xdebug, cpe:/o:tencent:tencentos_server:3, p-cpe:/a:tencent:tencentos_server:php-pecl-apcu, p-cpe:/a:tencent:tencentos_server:php-pear, p-cpe:/a:tencent:tencentos_server:php-pecl-rrd

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/etc/os-release, Host/TencentOS/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 12/11/2024

Vulnerability Publication Date: 12/11/2024