How to remove obsolete PHP packages so that rapid7 stops reporting PHP Vulnerability on Centos7

Question

I'm trying to remove PHP vulnerability on my Centos7 machine that is being reported by rapid7 security scan. I've upgraded from PHP7.1 to PHP7.4 however after another scan, the php71 packages are still being reported.

I also ensured that 7.1 packages were removed by running commands;

yum remove -y php71
yum autoremove
rm -rf /var/cache/yum/x86_64/7/remi-php71*

I've attached a screenshot of the report

As remediation steps it's asking me to upgrade to the latest version of PHP but I've already done an upgrade.

Any ideas please?

Answer 1

yum remove -y php71

This is probably not enough, you should remove everything in this SCL

yum remove php71\*

Also check you have restart the needed services (httpd, nginx, php-fpm...)

Please also notice that such vuln scanner result have no value if it use upstream "version", when package may include security fix.

Ex from php 7.1.33-22 in my repository (all known security fix from 7.4.32 are also fixed in this package)

* Tue Sep 27 2022 Remi Collet <[email protected]> - 7.1.33-22
- phar: fix #81726 DOS when using quine gzip file. CVE-2022-31628
- core: fix #81727 Don't mangle HTTP variable names that clash with ones   that have a specific semantic meaning. CVE-2022-31629

* Tue Jun 07 2022 Remi Collet <[email protected]> - 7.1.33-20
- mysqlnd: fix #81719: mysqlnd/pdo password buffer overflow. CVE-2022-31626
- pgsql: fix #81720: Uninitialized array in pg_query_params(). CVE-2022-31625

etc

Of course, I recommend using a PHP upstream suported version.

I also recommend to upgrade to a more recent version of CentOS, as version is now 8 years old and close to its end of life.

Reminder: for proper repository installation and usage, follow the wizard instructions especially, if you want a single version, you don't have to install SCL designed for installation of multiple versions. And using a single version make upgrade simpler.