I have a focal machine ("Ubuntu 20.04.6 LTS") with php 7.4 installed (7.4.3-4ubuntu2.19), a vulnerability scan warned me about CVE-2023-3824, CVE-2023-3823 in PHP but the following:
It states that this machine is "Not vulnerable"; does anybody know how to get more details on this? I took a look into the packages changelog but there's no mention of the above CVEs.
# Wrong answer
I think the CVE descriptions are pretty clear, since they start with:
> In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 ...
It's blatantly obvious that PHP 7.4 is not affected by these.
So the conclusion is your vulnerability scan yields a false positive here.
But well done to your security tool, some naive ones also misinterpret what the CVEs mean, whoever is working on your security tool has done the additional work to assess what EOL versions are effected too, not just import the CVE.
# Original question
I have a focal machine ("Ubuntu 20.04.6 LTS") with php 7.4 installed (7.4.3- 4ubuntu2. 19), a vulnerability scan warned me about CVE-2023-3824, CVE-2023-3823 in PHP but the following:
https:/ /ubuntu. com/security/ CVE-2023- 3824
https:/ /ubuntu. com/security/ CVE-2023- 3823
https:/ /ubuntu. com/security/ cves?q= &package= php7.4
It states that this machine is "Not vulnerable"; does anybody know how to get more details on this? I took a look into the packages changelog but there's no mention of the above CVEs.
# Wrong answer
I think the CVE descriptions are pretty clear, since they start with:
> In PHP versions 8.0.* before 8.0.30, 8.1.* before 8.1.22, and 8.2.* before 8.2.8 ...
It's blatantly obvious that PHP 7.4 is not affected by these.
So the conclusion is your vulnerability scan yields a false positive here.
# Correct answer
For CVE-2023-3824 for example you can see [the PHP issue](https:/ /github. com/php/ php-src/ security/ advisories/ GHSA-jqcx- ccgc-xwhv) and see the problem code referred to there in [`ext/phar/ dirstream. c`](https:/ /github. com/php/ php-src/ blob/be71cadc2f 899bc39fe270980 42139392e2187db /ext/phar/ dirstream. c#L89C1- L116). You can see the fix that was applied (https:/ /github. com/php/ php-src/ commit/ 80316123f3e9dcc e8ac419bd9dd435 46e2ccb5ef) and see that the problem code existed and still exists in [the final php 7.4.33 code][1].
So yes, PHP 7.4 has that issue, it just isn't mentioned in the CVE because 7.4 is end of life and CNAs don't (have to) report on EOL software.
Ubuntu has not backported any fix. Grep the [source (7.4.3- 4ubuntu2. 19)]( https:/ /packages. ubuntu. com/source/ focal-updates/ php7.4) for `phar_dir_read` and you will find the vulnerable code and no patch. Once they backport they would mentioned it and https:/ /ubuntu. com/security/ CVE-2023- 3824 would say something other than "Not vulnerable" against the 7.4 versions where it exists.
But well done to your security tool, some naive ones also misinterpret what the CVEs mean, whoever is working on your security tool has done the additional work to assess what EOL versions are effected too, not just import the CVE.
[1]: https:/ /github. com/php/ php-src/ blob/php- 7.4.33/ ext/phar/ dirstream. c#L92