Skip to main content

πŸ›‘οΈ Azure App Service does not run the latest PHP version🟒βšͺ

  • Contextual name: πŸ›‘οΈ App Service does not run the latest PHP version🟒βšͺ
  • ID: /ce/ca/azure/app-service/latest-php-version
  • Tags:
  • Policy Type: COMPLIANCE_POLICY
  • Policy Categories: SECURITY, RELIABILITY, PERFORMANCE

Similar Policies​

Similar Internal Rules​

RulePoliciesFlags
βœ‰οΈ dec-x-f82b98491

Description​

Open File

Description​

Periodically, older versions of PHP may be deprecated and no longer supported. Using a supported version of PHP for app services is recommended to avoid potential unpatched vulnerabilities.

Rationale​

Deprecated and unsupported versions of programming and scripting languages can present vulnerabilities which may not be addressed or may not be addressable.

Impact​

If your app is written using version-dependent features or libraries, they may not be available on more recent versions. If you wish to update, research the impact thoroughly.

Audit​

Take note of the currently supported versions of PHP here: https://www.php.net/supported-versions.php

From Azure Console​
  1. From Azure Home open the Portal Menu in the top left.
  2. Go to App Services.
  3. Click on each App.
  4. Under Settings section, click on Configuration.
  5. Click on the General settings pane, ensure that for a Stack of PHP the Major Version and Minor Version reflect a currently supported release.

NOTE: No action is required if PHP version is set to Off, as PHP is not used by your web app.

... see more

Remediation​

Open File

Remediation​

From Azure Portal​

  1. From Azure Home open the Portal Menu in the top left.
  2. Go to App Services.
  3. Click on each App.
  4. Under Settings section, click on Configuration.
  5. Click on the General settings pane, ensure that for a Stack of PHP the Major Version and Minor Version reflect the latest stable and supported release.

NOTE: No action is required If PHP version is set to Off or is set with an empty value as PHP is not used by your web app.

From Azure CLI​

List the available PHP runtimes:

az webapp list-runtimes

To set latest PHP version for an existing app, run the following command:

az webapp config set --resource-group <RESOURCE_GROUP_NAME> --name <APP_NAME> --linux-fx-version <PHP_RUNTIME_VERSION> --php-version <PHP_VERSION>

From PowerShell​

To set latest PHP version for an existing app, run the following command:

Set-AzWebApp -ResourceGroupName <RESOURCE_GROUP_NAME> -Name <APP_NAME> -phpVersion <PHP_VERSION>

NOTE: Currently there is no way to update an existing web app Linux FX Version setting using PowerShell, nor is there a way to create a new web app using PowerShell that configures the PHP runtime in the Linux FX Version setting.

policy.yaml​

Open File

Linked Framework Sections​

SectionSub SectionsInternal RulesPoliciesFlagsCompliance
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 36h patch management controls β€” to manage the assessment and application of patches and other updates that address known vulnerabilities in a timely manner;77no data
πŸ’Ό APRA CPG 234 β†’ πŸ’Ό 40 An important aspect of information asset life-cycle management involves minimising vulnerabilities and maintaining support. Information security exposures could arise from hardware and software which is outdated or has limited or no support (whether through a third party, a related party or in-house). Technology that is end-of-life5 , out-of-support or in extended support is typically less secure by design, has a dated security model and can take longer, or is unable, to be updated to address new threats.77no data
πŸ’Ό CIS Azure v1.1.0 β†’ πŸ’Ό 9.7 Ensure that 'PHP version' is the latest, if used to run the web app11no data
πŸ’Ό CIS Azure v1.3.0 β†’ πŸ’Ό 9.6 Ensure that 'PHP version' is the latest, if used to run the web app - Level 1 (Manual)11no data
πŸ’Ό CIS Azure v1.5.0 β†’ πŸ’Ό 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App - Level 1 (Manual)11no data
πŸ’Ό CIS Azure v2.0.0 β†’ πŸ’Ό 9.6 Ensure That 'PHP version' is the Latest, If Used to Run the Web App - Level 1 (Manual)11no data
πŸ’Ό CIS Azure v2.1.0 β†’ πŸ’Ό 9.5 Ensure That 'PHP version' is the Latest, If Used to Run the Web App - Level 1 (Manual)11no data
πŸ’Ό CIS Azure v3.0.0 β†’ πŸ’Ό 9.7 Ensure that 'PHP version' is currently supported (if in use) (Manual)1no data
πŸ’Ό Cloudaware Framework β†’ πŸ’Ό Infrastructure Modernization18no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)21416no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)31833no data
πŸ’Ό FedRAMP High Security Controls β†’ πŸ’Ό CM-11 User-installed Software (L)(M)(H)44no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)8no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)29no data
πŸ’Ό FedRAMP Low Security Controls β†’ πŸ’Ό CM-11 User-installed Software (L)(M)(H)4no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-5 Access Restrictions for Change (L)(M)(H)216no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-7 Least Functionality (L)(M)(H)333no data
πŸ’Ό FedRAMP Moderate Security Controls β†’ πŸ’Ό CM-11 User-installed Software (L)(M)(H)4no data
πŸ’Ό ISO/IEC 27001:2013 β†’ πŸ’Ό A.12.5.1 Installation of software on operational systems55no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-3: Personnel activity is monitored to detect potential cybersecurity events2026no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό DE.CM-5: Unauthorized mobile code is detected1112no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό ID.AM-2: Software platforms and applications within the organization are inventoried57no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.DS-6: Integrity checking mechanisms are used to verify software, firmware, and information integrity2227no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)426no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.IP-3: Configuration change control processes are in place55no data
πŸ’Ό NIST CSF v1.1 β†’ πŸ’Ό PR.PT-3: The principle of least functionality is incorporated by configuring systems to provide only essential capabilities2130no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-01: Networks and network services are monitored to find potentially adverse events170no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-03: Personnel activity and technology usage are monitored to find potentially adverse events95no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events170no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.AM-02: Inventories of software, services, and systems managed by the organization are maintained9no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό ID.RA-07: Changes and exceptions are managed, assessed for risk impact, recorded, and tracked41no data
πŸ’Ό NIST CSF v2.0 β†’ πŸ’Ό PR.DS-01: The confidentiality, integrity, and availability of data-at-rest are protected180no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-2(6) Flaw Remediation _ Removal of Previous Versions of Software and Firmware66no data
πŸ’Ό NIST SP 800-53 Revision 5 β†’ πŸ’Ό SI-7(12) Software, Firmware, and Information Integrity _ Integrity Verification1921no data
πŸ’Ό UK Cyber Essentials β†’ πŸ’Ό 3.1 All software on in-scope devices must be licensed and supported66no data