CVE-2012-0789

MEDIUM

Description

Memory leak in the timezone functionality in PHP before 5.3.9 allows remote attackers to cause a denial of service (memory consumption) by triggering many strtotime function calls, which are not properly handled by the php_date_parse_tzfile cache.

References

http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00013.html

http://lists.opensuse.org/opensuse-security-announce/2012-03/msg00016.html

http://secunia.com/advisories/48668

http://www.php.net/ChangeLog-5.php#5.3.9

https://bugs.php.net/bug.php?id=53502

https://bugzilla.redhat.com/show_bug.cgi?id=783609

Details

Source: MITRE

Published: 2012-02-14

Updated: 2018-01-09

Type: CWE-399

Risk Information

CVSS v2.0

Base Score: 5

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P

Impact Score: 2.9

Exploitability Score: 10

Severity: MEDIUM

Vulnerable Software

Configuration 1

OR

cpe:2.3:a:php:php:5.0.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:beta1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:beta2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:beta3:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:beta4:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:rc1:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:rc2:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.0:rc3:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.0.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.1.6:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.6:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.7:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.8:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.9:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.10:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.11:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.12:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.14:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.15:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.16:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.2.17:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.0:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.1:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.2:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.3:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.4:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.5:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.6:*:*:*:*:*:*:*

cpe:2.3:a:php:php:5.3.7:*:*:*:*:*:*:*

cpe:2.3:a:php:php:*:*:*:*:*:*:*:* versions up to 5.3.8 (inclusive)

Tenable Plugins

View all (20 total)

IDNameProductFamilySeverity
74580openSUSE Security Update : php5 (openSUSE-SU-2012:0426-1)NessusSuSE Local Security Checks
high
68571Oracle Linux 5 : php53 (ELSA-2012-1047)NessusOracle Linux Local Security Checks
high
68570Oracle Linux 6 : php (ELSA-2012-1046)NessusOracle Linux Local Security Checks
high
68569Oracle Linux 5 : php (ELSA-2012-1045)NessusOracle Linux Local Security Checks
medium
67089CentOS 5 : php53 (CESA-2012:1047)NessusCentOS Local Security Checks
high
62236GLSA-201209-03 : PHP: Multiple vulnerabilitiesNessusGentoo Local Security Checks
critical
62207FreeBSD : php5 -- Denial of Service in php_date_parse_tzfile() (9b2a5e88-02b8-11e2-92d1-000d601460a4)NessusFreeBSD Local Security Checks
medium
61358Scientific Linux Security Update : php on SL6.x i386/x86_64 (20120627)NessusScientific Linux Local Security Checks
high
61357Scientific Linux Security Update : php on SL5.x i386/x86_64 (20120627)NessusScientific Linux Local Security Checks
medium
61356Scientific Linux Security Update : php53 on SL5.x i386/x86_64 (20120627)NessusScientific Linux Local Security Checks
high
59938CentOS 6 : php (CESA-2012:1046)NessusCentOS Local Security Checks
high
59753RHEL 5 : php53 (RHSA-2012:1047)NessusRed Hat Local Security Checks
high
59752RHEL 6 : php (RHSA-2012:1046)NessusRed Hat Local Security Checks
high
59751RHEL 5 : php (RHSA-2012:1045)NessusRed Hat Local Security Checks
medium
59738CentOS 5 : php (CESA-2012:1045)NessusCentOS Local Security Checks
medium
58740SuSE 11.1 Security Update : PHP5 (SAT Patch Number 5964)NessusSuSE Local Security Checks
high
58480SuSE 10 Security Update : PHP5 (ZYPP Patch Number 8009)NessusSuSE Local Security Checks
high
801116PHP < 5.3.9 Multiple VulnerabilitiesLog Correlation EngineWeb Servers
high
6263PHP < 5.3.9 Multiple VulnerabilitiesNessus Network MonitorWeb Servers
high
57537PHP < 5.3.9 Multiple VulnerabilitiesNessusCGI abuses
high