PHP 4.3.10 < 4.4.9 / 5.0.3 < 5.4.36 / 5.5.x < 5.5.20 / 5.6.x < 5.6.4 DoS

medium Nessus Network Monitor Plugin ID 8922

Synopsis

The remote web server uses a version of PHP that is affected by a denial of service vulnerability.

Description

PHP versions 4.3.10 through 4.4.9, 5.0.3 prior to 5.4.36, 5.5.x prior to 5.5.20, and 5.6.x prior to 5.6.4 are affected by a denial of service vulnerability due to a NULL pointer dereference condition. Specifically, this issue affects the 'var_push_dtor()' function of the 'unserialize.c' source file. This may allow a remote attacker to crash the affected application, denying service to legitimate users. (Bug 68545)

Solution

Apply the vendor's patch, or upgrade to the latest version. These issues have been fixed in versions 5.4.36, 5.5.20, 5.6.4 and later.

See Also

https://bugs.php.net/bug.php?id=68545

http://php.net/ChangeLog-5.php#5.4.36

http://3v4l.org/BtYZg

Plugin Details

Severity: Medium

ID: 8922

Family: Web Servers

Published: 2/25/2015

Updated: 3/6/2019

Risk Information

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS v3

Risk Factor: Medium

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 12/18/2014

Vulnerability Publication Date: 12/3/2014

Reference Information

BID: 72491