https://bugs.php.net/bug.php?id=79371

https://security.netapp.com/advisory/ntap-20200403-0001/

USN-4330-1

USN-4330-2

DSA-4719

https://www.php.net/ChangeLog-7.php#7.4.4

https://www.tenable.com/security/tns-2021-14

https://www.oracle.com/security-alerts/cpuoct2021.html

According to its self-reported version, the Tenable SecurityCenter application installed on the remote host is less than 5.19.0 and is therefore affected by multiple vulnerabilities in the following components: 
  - Apache FOP
  - Underscore
  - Handlebars
  - PHP
  - sqlite

Note that successful exploitation of the most serious issues can result in arbitrary code execution.

This plugin has been deprecated by plugin 152985 and 152986.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2020:3662 advisory.

  - php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039)

  - php: Buffer over-read in exif_read_data() (CVE-2019-11040)

  - php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041)

  - php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042)

  - php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at     that byte (CVE-2019-11045)

  - php: Information disclosure in exif_read_data() (CVE-2019-11047)

  - php: Integer wraparounds when receiving multipart forms (CVE-2019-11048)

  - php: Out of bounds read when parsing EXIF information (CVE-2019-11050)

  - oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224)

  - oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225)

  - oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163)

  - oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203)

  - oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c     (CVE-2019-19204)

  - oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246)

  - pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454)

  - php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059)

  - php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060)

  - php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062)

  - php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)

  - php: Information disclosure in exif_read_data() function (CVE-2020-7064)

  - php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution     (CVE-2020-7065)

  - php: Information disclosure in function get_headers (CVE-2020-7066)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2020-3662 advisory.

  - Function iconv_mime_decode_headers() in PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x     below 7.3.6 may perform out-of-buffer read due to integer overflow when parsing MIME headers. This may     lead to information disclosure or crash. (CVE-2019-11039)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.1.x below 7.1.30, 7.2.x below 7.2.19 and 7.3.x below 7.3.6 it is possible to supply it with     data what will cause it to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2019-11040)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.1.x below 7.1.31, 7.2.x below 7.2.21 and 7.3.x below 7.3.8 it is possible to supply it with     data what will cause it to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2019-11041, CVE-2019-11042)

  - When PHP EXIF extension is parsing EXIF information from an image, e.g. via exif_read_data() function, in     PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0 it is possible to supply it with data what     will cause it to read past the allocated buffer. This may lead to information disclosure or crash.
    (CVE-2019-11047, CVE-2019-11050)

  - In PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18 and 7.4.x below 7.4.6, when HTTP file uploads are     allowed, supplying overly long filenames or field names could lead PHP engine to try to allocate oversized     memory storage, hit the memory limit and stop processing the request, without cleaning up temporary files     created by upload request. This potentially could lead to accumulation of uncleaned temporary files     exhausting the disk space on the target server. (CVE-2019-11048)

  - A NULL Pointer Dereference in match_at() in regexec.c in Oniguruma 6.9.2 allows attackers to potentially     cause denial of service by providing a crafted regular expression. Oniguruma issues often affect Ruby, as     well as common optional libraries for PHP and Rust. (CVE-2019-13225)

  - Oniguruma before 6.9.3 allows Stack Exhaustion in regcomp.c because of recursion in regparse.c.
    (CVE-2019-16163)

  - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function gb18030_mbc_enc_len in file     gb18030.c, a UChar pointer is dereferenced without checking if it passed the end of the matched string.
    This leads to a heap-based buffer over-read. (CVE-2019-19203)

  - Oniguruma through 6.9.3, as used in PHP 7.3.x and other products, has a heap-based buffer over-read in     str_lower_case_match in regexec.c. (CVE-2019-19246)

  - An out-of-bounds read was discovered in PCRE before 10.34 when the pattern \X is JIT compiled and used to     match specially crafted subjects in non-UTF mode. Applications that use PCRE to parse untrusted input may     be vulnerable to this flaw, which would allow an attacker to crash the application. The flaw occurs in     do_extuni_no_utf in pcre2_jit_compile.c. (CVE-2019-20454)

  - In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while parsing EXIF data with     exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of     uninitialized memory. This could potentially lead to information disclosure or crash. (CVE-2020-7064)

  - In PHP versions 7.2.x below 7.2.26, 7.3.x below 7.3.13 and 7.4.0, PHP DirectoryIterator class accepts     filenames with embedded \0 byte and treats them as terminating at that byte. This could lead to security     vulnerabilities, e.g. in applications checking paths that the code is allowed to access. (CVE-2019-11045)

  - A use-after-free in onig_new_deluxe() in regext.c in Oniguruma 6.9.2 allows attackers to potentially cause     information disclosure, denial of service, or possibly code execution by providing a crafted regular     expression. The attacker provides a pair of a regex pattern and a string, with a multi-byte encoding that     gets handled by onig_new_deluxe(). Oniguruma issues often affect Ruby, as well as common optional     libraries for PHP and Rust. (CVE-2019-13224)

  - An issue was discovered in Oniguruma 6.x before 6.9.4_rc2. In the function fetch_interval_quantifier     (formerly known as fetch_range_quantifier) in regparse.c, PFETCH is called without checking PEND. This     leads to a heap-based buffer over-read. (CVE-2019-19204)

  - When using fgetss() function to read data with stripping tags, in PHP versions 7.2.x below 7.2.27, 7.3.x     below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause this function to read     past the allocated buffer. This may lead to information disclosure or crash. (CVE-2020-7059)

  - When using certain mbstring functions to convert multibyte encodings, in PHP versions 7.2.x below 7.2.27,     7.3.x below 7.3.14 and 7.4.x below 7.4.2 it is possible to supply data that will cause function     mbfl_filt_conv_big5_wchar to read past the allocated buffer. This may lead to information disclosure or     crash. (CVE-2020-7060)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when using file upload     functionality, if upload progress tracking is enabled, but session.upload_progress.cleanup is set to 0     (disabled), and the file upload fails, the upload procedure would try to clean up data that does not exist     and encounter null pointer dereference, which would likely lead to a crash. (CVE-2020-7062)

  - In PHP versions 7.2.x below 7.2.28, 7.3.x below 7.3.15 and 7.4.x below 7.4.3, when creating PHAR archive     using PharData::buildFromIterator() function, the files are added with default permissions (0666, or all     access) even if the original files on the filesystem were with more restrictive permissions. This may     result in files having more lax permissions than intended when such archive is extracted. (CVE-2020-7063)

  - In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using mb_strtolower() function with     UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could     lead to memory corruption, crashes and potentially code execution. (CVE-2020-7065)

  - In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers()     with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it.
    This may cause some software to make incorrect assumptions about the target of the get_headers() and     possibly send some information to a wrong server. (CVE-2020-7066)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:3662 advisory.

  - php: Out-of-bounds read due to integer overflow in iconv_mime_decode_headers() (CVE-2019-11039)

  - php: Buffer over-read in exif_read_data() (CVE-2019-11040)

  - php: Heap buffer over-read in exif_scan_thumbnail() (CVE-2019-11041)

  - php: Heap buffer over-read in exif_process_user_comment() (CVE-2019-11042)

  - php: DirectoryIterator class accepts filenames with embedded \0 byte and treats them as terminating at     that byte (CVE-2019-11045)

  - php: Information disclosure in exif_read_data() (CVE-2019-11047)

  - php: Integer wraparounds when receiving multipart forms (CVE-2019-11048)

  - php: Out of bounds read when parsing EXIF information (CVE-2019-11050)

  - oniguruma: Use-after-free in onig_new_deluxe() in regext.c (CVE-2019-13224)

  - oniguruma: NULL pointer dereference in match_at() in regexec.c (CVE-2019-13225)

  - oniguruma: Stack exhaustion in regcomp.c because of recursion in regparse.c (CVE-2019-16163)

  - oniguruma: Heap-based buffer over-read in function gb18030_mbc_enc_len in file gb18030.c (CVE-2019-19203)

  - oniguruma: Heap-based buffer over-read in function fetch_interval_quantifier in regparse.c     (CVE-2019-19204)

  - oniguruma: Heap-based buffer overflow in str_lower_case_match in regexec.c (CVE-2019-19246)

  - pcre: Out of bounds read in JIT mode when \X is used in non-UTF mode (CVE-2019-20454)

  - php: Out of bounds read in php_strip_tags_ex (CVE-2020-7059)

  - php: Global buffer-overflow in mbfl_filt_conv_big5_wchar function (CVE-2020-7060)

  - php: NULL pointer dereference in PHP session upload progress (CVE-2020-7062)

  - php: Files added to tar with Phar::buildFromIterator have all-access permissions (CVE-2020-7063)

  - php: Information disclosure in exif_read_data() function (CVE-2020-7064)

  - php: Using mb_strtolower() function with UTF-32LE encoding leads to potential code execution     (CVE-2020-7065)

  - php: Information disclosure in function get_headers (CVE-2020-7066)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Multiple security issues were found in PHP, a widely-used open source general purpose scripting language which could result in information disclosure, denial of service or potentially the execution of arbitrary code.

In PHP versions 7.2.x below 7.2.9, 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while parsing EXIF data with exif_read_data() function, it is possible for malicious data to cause PHP to read one byte of uninitialized memory. This could potentially lead to information disclosure or crash. (CVE-2020-7064)

In PHP versions 7.3.x below 7.3.16 and 7.4.x below 7.4.34, while using mb_strtolower() function with UTF-32LE encoding, certain invalid strings could cause PHP to overwrite stack-allocated buffer. This could lead to memory corruption, crashes and potentially code execution. (CVE-2020-7065)

In PHP versions 7.2.x below 7.2.29, 7.3.x below 7.3.16 and 7.4.x below 7.4.4, while using get_headers() with user-supplied URL, if the URL contains zero (\0) character, the URL will be silently truncated at it. This may cause some software to make incorrect assumptions about the target of the get_headers() and possibly send some information to a wrong server. (CVE-2020-7066)

In PHP versions 7.2.x below 7.2.30, 7.3.x below 7.3.17 and 7.4.x below 7.4.5, if PHP is compiled with EBCDIC support (uncommon), urldecode() function can be made to access locations past the allocated memory, due to erroneously using signed numbers as array indexes.
(CVE-2020-7067)

USN-4330-1 fixed vulnerabilities in PHP. This update provides the corresponding update for Ubuntu 20.04 LTS.

Original advisory details :

It was discovered that PHP incorrectly handled certain EXIF files. An attacker could possibly use this issue to access sensitive information or cause a crash. (CVE-2020-7064)

It was discovered that PHP incorrectly handled certain UTF strings. An attacker could possibly use this issue to cause a crash or execute arbitrary code. (CVE-2020-7065)

It was discovered that PHP incorrectly handled certain URLs.
An attacker could possibly use this issue to expose sensitive information. (CVE-2020-7066).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that PHP incorrectly handled certain file uploads.
An attacker could possibly use this issue to cause a crash.
(CVE-2020-7062)

It was discovered that PHP incorrectly handled certain PHAR archive files. An attacker could possibly use this issue to access sensitive information. (CVE-2020-7063)

It was discovered that PHP incorrectly handled certain EXIF files. An attacker could possibly use this issue to access sensitive information or cause a crash. (CVE-2020-7064)

It was discovered that PHP incorrectly handled certain UTF strings. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 19.10. (CVE-2020-7065)

It was discovered that PHP incorrectly handled certain URLs. An attacker could possibly use this issue to expose sensitive information. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10. (CVE-2020-7066).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-202003-57 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers referenced below for details.
  Impact :

    An attacker could possibly execute arbitrary shell commands, cause a       Denial of Service condition or obtain sensitive information.
  Workaround :

    There is no known workaround at this time.

**PHP version 7.3.16** (19 Mar 2020)

**Core:**

  - Fixed bug php#63206 (restore_error_handler does not     restore previous errors mask). (Mark Plomer)

**DOM:**

  - Fixed bug php#77569: (Write Access Violation in     DomImplementation). (Nikita, cmb)

  - Fixed bug php#79271 (DOMDocumentType::$childNodes is     NULL). (cmb)

**Enchant:**

  - Fixed bug php#79311 (enchant_dict_suggest() fails on big     endian architecture). (cmb)

**EXIF:**

  - Fixed bug php#79282 (Use-of-uninitialized-value in     exif). (**CVE-2020-7064*) (Nikita)

**MBstring:**

  - Fixed bug php#79371 (mb_strtolower (UTF-32LE):
    stack-buffer-overflow at php_unicode_tolower_full).
    (**CVE-2020-7065**) (cmb)

**MySQLi:**

  - Fixed bug php#64032 (mysqli reports different     client_version). (cmb)

**PCRE:**

  - Fixed bug php#79188 (Memory corruption in     preg_replace/preg_replace_callback and unicode).
    (Nikita)

**PDO_ODBC:**

  - Fixed bug php#79038 (PDOStatement::nextRowset() leaks     column values). (cmb)

**Reflection:**

  - Fixed bug php#79062 (Property with heredoc default value     returns false for getDocComment). (Nikita)

**SQLite3:**

  - Fixed bug php#79294 (::columnType() may fail after     SQLite3Stmt::reset()). (cmb)

**Standard:**

  - Fixed bug php#79329 (get_headers() silently truncates     after a null byte). (**CVE-2020-7066**) (cmb)

  - Fixed bug php#79254 (getenv() w/o arguments not showing     changes). (cmb)

  - Fixed bug php#79265 (Improper injection of Host header     when using fopen for http requests). (Miguel Xavier     Penha Neto)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its banner, the version of PHP running on the remote web server is 7.3.x prior to 7.3.16. It is, therefore, affected by the following vulnerabilities:

  - An out of bounds read resulting in the use of an uninitialized value in exif (CVE-2020-7064)

  - A stack buffer overflow in allows overwriting of a stack-allocated buffer with an overflown array from     .rodata. (CVE-2020-7065)

  - get_headers() silently truncates anything after a null byte in the URL it uses. An unauthenticated, remote     attacker can exploit this to leak sensitive information or cause the web server to unexpectedly process     attacker-controlled data. (CVE-2020-7066)     Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its banner, the version of PHP running on the remote web server is prior to 7.2.29, 7.3.x prior to 7.3.16, or 7.4.x prior to 7.4.4. It is, therefore, affected by multiple vulnerabilities: - An improper null termination exists in get_headers due to a silent truncation after a null byte. (CVE-2020-7066) - An out-of-bounds read error exists in exif due to the use of uninitialized value. (CVE-2020-7064) - A stack-based buffer overflow condition exists in php_unicode_tolower_full due to a call to mb_strtolower. (CVE-2020-7065) Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
152986	Tenable SecurityCenter < 5.19.0 Multiple Vulnerabilities (TNS-2021-14)	Nessus	Misc.	high
151985	Tenable.sc < 5.19.0 Multiple Vulnerabilities (TNS-2021-14) (deprecated)	Nessus	Misc.	high
145957	CentOS 8 : php:7.3 (CESA-2020:3662)	Nessus	CentOS Local Security Checks	critical
140482	Oracle Linux 8 : php:7.3 (ELSA-2020-3662)	Nessus	Oracle Linux Local Security Checks	critical
140396	RHEL 8 : php:7.3 (RHSA-2020:3662)	Nessus	Red Hat Local Security Checks	critical
138225	Debian DSA-4719-1 : php7.3 - security update	Nessus	Debian Local Security Checks	high
136629	Amazon Linux AMI : php73 (ALAS-2020-1368)	Nessus	Amazon Linux Local Security Checks	high
136398	Ubuntu 20.04 : php7.4 vulnerabilities (USN-4330-2)	Nessus	Ubuntu Local Security Checks	high
135672	Ubuntu 16.04 LTS / 18.04 LTS / 19.10 : PHP vulnerabilities (USN-4330-1)	Nessus	Ubuntu Local Security Checks	high
134965	GLSA-202003-57 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
134962	Fedora 30 : php (2020-ce5a2a7403)	Nessus	Fedora Local Security Checks	high
134944	PHP 7.3.x < 7.3.16 Multiple Vulnerabilities	Nessus	CGI abuses	high
134919	Fedora 31 : php (2020-0bf228857a)	Nessus	Fedora Local Security Checks	high
98993	PHP 7.2.x < 7.2.29 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98992	PHP 7.3.x < 7.3.16 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high
98991	PHP 7.4.x < 7.4.4 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	high

CVE-2020-7065

high

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

CVSS v3

Vulnerable Software

Configuration 1

Configuration 2

Configuration 3

Configuration 4

Tenable Plugins

high

high

critical

critical

critical

high

high

high

high

high

high

high

high

high

high

high