https://bugs.php.net/bug.php?id=78862

https://security.netapp.com/advisory/ntap-20200103-0002/

FEDORA-2019-437d94e271

FEDORA-2019-a54a622670

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is less than 5.19.0 and is therefore affected by multiple vulnerabilities in the following components: 
  - Apache FOP
  - Underscore
  - Handlebars
  - PHP
  - sqlite

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

This plugin has been deprecated by plugin 152985 and 152986.

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045)

In PHP versions 7.3.x below 7.3.13 and 7.4.0 on Windows, when supplying custom headers to mail() function, due to mistake introduced in commit 78f4b4a2dcf92ddbccea1bb95f8390a18ac3342e, if the header is supplied in lowercase, this can result in double-freeing certain memory locations. (CVE-2019-11049)

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11047)

A flaw was discovered in the link function in PHP. When compiled on Windows, it does not correctly handle paths containing NULL bytes. An attacker could abuse this flaw to bypass application checks on file paths. (CVE-2019-11044)

When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what will cause it to read past the allocated buffer. This may lead to information disclosure or crash. (CVE-2019-11050)

In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP bcmath extension functions on some systems, including Windows, can be tricked into reading beyond the allocated space by supplying it with string containing characters that are identified as numeric by the OS but aren't ASCII numbers. This can read to disclosure of the content of some memory locations. (CVE-2019-11046)

According to its banner, the version of PHP running on the remote web server is prior to 7.2.26, 7.3.x prior to 7.3.13, or 7.4.x prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities:

 - An arbitrary file read vulnerability exists in link() and DirectoryIterator class due to improper handling of embedded \0 byte character and treats them as terminating at that byte. An attacker can exploit this to disclose information in applications checking paths that the code is allowed to access. (CVE-2019-11044 / CVE-2019-11045)

 - An out-of-bounds READ error exists in the bcmath extension due to an input validation error. An unauthenticated, remote attacker can exploit this by supplying a string containing characters that are identified as numeric by the OS but are not ASCII number. This can cause lead to the disclosure of information within some memory locations. (CVE-2019-11046)

 - An out-of-bounds READ error exists in parsing EXIF information from an image. An unauthenticated, remote attacker can exploit this and supply it iwth data that will cause it to read past the allocated buffer disclosing of information. (CVE-2019-11047 / CVE-2019-11050)

 - A denial of service (DoS) vulnerability exists in mail() due to the double-freeing of certain memory locations. An unauthenticated, remote attacker can exploit this issue, by supplying custom headers, and to cause the application to segfault and stop responding.

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.26. It is, therefore, affected by multiple vulnerabilities:

  - An arbitrary file read vulnerability exists in link() and     DirectoryIterator class due to improper handling of embedded     \0 byte character and treats them as terminating at that byte.     An attacker can exploit this to disclose information in     applications checking paths that the code is allowed to access.
    (CVE-2019-11044 CVE-2019-11045)

  - An out-of-bounds READ error exists in the bcmath extension due to     an input validation error. An unauthenticated, remote attacker     can exploit this by supplying a string containing characters that     are identified as numeric by the OS but are not ASCII number.     This can cause lead to the disclosure of information within some     memory locations. (CVE-2019-11046)

  - An out-of-bounds READ error exists in parsing EXIF information     from an image. An unauthenticated, remote attacker     can exploit this and supply it iwth data that will cause it to     read past the allocated buffer disclosing of information.
    (CVE-2019-11047)

According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.13 or 7.4.x prior to 7.4.1. It is, therefore, affected by multiple vulnerabilities:

  - An arbitrary file read vulnerability exists in link() and     DirectoryIterator class due to improper handling of embedded     \0 byte character and treats them as terminating at that byte.     An attacker can exploit this to disclose information in     applications checking paths that the code is allowed to access.
    (CVE-2019-11044 CVE-2019-11045)

  - An out-of-bounds READ error exists in the bcmath extension due to     an input validation error. An unauthenticated, remote attacker     can exploit this by supplying a string containing characters that     are identified as numeric by the OS but are not ASCII number.     This can cause lead to the disclosure of information within some     memory locations. (CVE-2019-11046)

  - An out-of-bounds READ error exists in parsing EXIF information     from an image. An unauthenticated, remote attacker     can exploit this and supply it iwth data that will cause it to     read past the allocated buffer disclosing of information.
    (CVE-2019-11047 CVE-2019-11050)

  - A denial of service (DoS) vulnerability exists in mail() due to     the double-freeing of certain memory locations. An unauthenticated,     remote attacker can exploit this issue, by supplying custom headers,     and to cause the application to segfault and stop responding.

**PHP version 7.3.13** (18 Dec 2019)

**Bcmath:**

  - Fixed bug php#78878 (Buffer underflow in     bc_shift_addsub). (**CVE-2019-11046**). (cmb)

**Core:**

  - Fixed bug php#78862 (link() silently truncates after a     null byte on Windows). (**CVE-2019-11044**). (cmb)

  - Fixed bug php#78863 (DirectoryIterator class silently     truncates after a null byte). (**CVE-2019-11045**).
    (cmb)

  - Fixed bug php#78943 (mail() may release string with     refcount==1 twice). (**CVE-2019-11049**). (cmb)

  - Fixed bug php#78787 (Segfault with trait overriding     inherited private shadow property). (Nikita)

  - Fixed bug php#78868 (Calling __autoload() with incorrect     EG(fake_scope) value). (Antony Dovgal, Dmitry)

  - Fixed bug php#78296 (is_file fails to detect file).
    (cmb)

**EXIF:**

  - Fixed bug php#78793 (Use-after-free in exif parsing     under memory sanitizer). (**CVE-2019-11050**). (Nikita)

  - Fixed bug php#78910 (Heap-buffer-overflow READ in exif).
    (**CVE-2019-11047**). (Nikita)

**GD:**

  - Fixed bug php#78849 (GD build broken with -D     SIGNED_COMPARE_SLOW). (cmb)

**MBString:**

  - Upgraded bundled Oniguruma to 6.9.4. (cmb)

**OPcache:**

  - Fixed potential ASLR related invalid opline handler     issues. (cmb)

  - Fixed $x = (bool)$x; with opcache (should emit     undeclared variable notice). (Tyson Andre)

**PCRE:**

  - Fixed bug php#78853 (preg_match() may return integer >     1). (cmb)

**Standard:**

  - Fixed bug php#78759 (array_search in $GLOBALS). (Nikita)

  - Fixed bug php#77638 (var_export'ing certain class     instances segfaults). (cmb)

  - Fixed bug php#78840 (imploding $GLOBALS crashes). (cmb)

  - Fixed bug php#78833 (Integer overflow in pack causes     out-of-bound access). (cmb)

  - Fixed bug php#78814 (strip_tags allows / in tag name =>     whitelist bypass). (cmb)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
152986	Tenable SecurityCenter < 5.19.0 Multiple Vulnerabilities (TNS-2021-14)	Nessus	Misc.	high
151985	Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)	Nessus	Misc.	high
133558	Amazon Linux AMI : php72 / php73 (ALAS-2020-1339)	Nessus	Amazon Linux Local Security Checks	critical
98927	PHP 7.2.x < 7.2.26 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
98926	PHP 7.3.x < 7.3.13 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
98925	PHP 7.4.x < 7.4.1 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	critical
132770	PHP 7.2.x < 7.2.26 Multiple Vulnerabilities	Nessus	CGI abuses	medium
132769	PHP 7.3.x < 7.3.13 / 7.4.x < 7.4.1 Multiple Vulnerabilities	Nessus	CGI abuses	critical
132655	Fedora 31 : php (2019-a54a622670)	Nessus	Fedora Local Security Checks	critical
132644	Fedora 30 : php (2019-437d94e271)	Nessus	Fedora Local Security Checks	critical

CVE-2019-11044

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Tenable Plugins

high

high

critical

critical

critical

critical

medium

critical

critical

critical