CVE-2024-9026: 
PHP vulnerability analysis and mitigation

CVE-2024-9026 affects PHP versions 8.1. before 8.1.30, 8.2. before 8.2.24, and 8.3.* before 8.3.12, specifically when using PHP-FPM (FastCGI Process Manager) SAPI. The vulnerability was discovered during a Quarkslab security audit conducted in collaboration with OSTIF and PHP Foundation (PHP Advisory).

The vulnerability occurs when PHP-FPM is configured with catchworkersoutput = yes. The issue lies in the fpmstdiochildsaid method in sapi/fpm/fpm/fpmstdio.c, where improper handling of the FPMSTDIOCMD_FLUSH macro can lead to log manipulation. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating local access requirements and low severity (NVD).

The vulnerability allows attackers to either pollute the final log or remove up to 4 characters from log messages by manipulating log message content. Additionally, if PHP-FPM is configured to use syslog output, it may be possible to remove more log data using the same vulnerability. This can potentially impact log integrity and hinder incident response and forensic investigations (PHP Advisory).

The vulnerability has been patched in PHP versions 8.1.30, 8.2.24, and 8.3.12. Users are advised to upgrade to these patched versions to mitigate the vulnerability (NVD).