An untrusted deserialization vulnerability in the Zend Framework was disclosed this week. If exploited by attackers, they can achieve Remote Code Execution (RCE) on PHP Sites.
This vulnerability could impact some instances of the Laminas project, which is Zend’s successor. Zend Framework is built from PHP packages and used by developers to build object-orientated web applications.
The vulnerability stems from the destructor of the Stream class in the PHP code within the Framework. In object-orientated programming, constructors and destructors are methods that are called when a new class is created or disposed of.
If an attacker can achieve remote code execution by gaining control over the values returned in the serialization process, then they can execute arbitrary commands and could potentially seize control of the web application itself.
The resulting damages can be, loss of revenue and more importantly reputation.
Zend Framework is no longer supported by the vendor and, it is recommended to upgrade to the latest version of the Laminas project. The latest version (dated from this article 05.01.2021) is version 3.0, the components and documentation are located here.