openSUSE-SU-2020:1703

openSUSE-SU-2020:1767

https://bugs.php.net/bug.php?id=79601

FEDORA-2020-4fe6b116e5

FEDORA-2020-94763cb98b

FEDORA-2020-4573f0e03a

GLSA-202012-16

https://security.netapp.com/advisory/ntap-20201016-0001/

USN-4583-1

The remote host is affected by the vulnerability described in GLSA-202012-16 (PHP: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in PHP. Please review the       CVE identifiers and change log referenced below for details.
  Impact :

    An attacker could cause a Denial of Service condition or obtain       sensitive information.
  Workaround :

    There is no known workaround at this time.

This update for php74 fixes the following issues :

CVE-2020-7069: Fixed an issue when AES-CCM mode was used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV was used (bsc#1177351).

CVE-2020-7070: Fixed an issue where percent-encoded cookies could have been used to overwrite existing prefixed cookie names (bsc#1177352).

Added tmpfiles.d for php-fpm to provide a base for a socket (bsc#1173786)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes the following issues :

CVE-2020-7069: Fixed an issue when AES-CCM mode was used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV was used (bsc#1177351).

CVE-2020-7070: Fixed an issue where percent-encoded cookies could have been used to overwrite existing prefixed cookie names (bsc#1177352).

Added tmpfiles.d for php-fpm to provide a base for a socket (bsc#1173786)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php72 fixes the following issues :

CVE-2020-7069: Fixed an issue when AES-CCM mode was used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV was used (bsc#1177351).

CVE-2020-7070: Fixed an issue where percent-encoded cookies could have been used to overwrite existing prefixed cookie names (bsc#1177352).

Added tmpfiles.d for php-fpm to provide a base for a socket (bsc#1173786)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes the following issues :

CVE-2020-7069: Fixed an issue when AES-CCM mode was used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV was used (bsc#1177351).

CVE-2020-7070: Fixed an issue where percent-encoded cookies could have been used to overwrite existing prefixed cookie names (bsc#1177352).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23     and 7.4.x below 7.4.11, when PHP is processing incoming     HTTP cookie values, the cookie names are url-decoded.
    This may lead to cookies with prefixes like __Host     confused with cookies that decode to such prefix, thus     leading to an attacker being able to forge cookie which     is supposed to be secure. See also CVE-2020-8184 for     more information.(CVE-2020-7070)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23     and 7.4.x below 7.4.11, when AES-CCM mode is used with     openssl_encrypt() function with 12 bytes IV, only first     7 bytes of the IV is actually used. This can lead to     both decreased security and incorrect encryption     data.(CVE-2020-7069)

  - In PHP versions 7.2.x below 7.2.23, 7.3.x below 7.3.21     and 7.4.x below 7.4.9, while processing PHAR files     using phar extension, phar_parse_zipfile could be     tricked into accessing freed memory, which could lead     to a crash or information disclosure.(CVE-2020-7068)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for php7 fixes the following issues :

  - CVE-2020-7069: Fixed an issue when AES-CCM mode was used     with openssl_encrypt() function with 12 bytes IV, only     first 7 bytes of the IV was used (bsc#1177351).

  - CVE-2020-7070: Fixed an issue where percent-encoded     cookies could have been used to overwrite existing     prefixed cookie names (bsc#1177352). 

  - Added tmpfiles.d for php-fpm to provide a base for a     socket (bsc#1173786) 

This update was imported from the SUSE:SLE-15:Update update project.

The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2020-1440 advisory.

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used     with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can     lead to both decreased security and incorrect encryption data. (CVE-2020-7069)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing     incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like
    __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge     cookie which is supposed to be secure. See also CVE-2020-8184 for more information. (CVE-2020-7070)

  - A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3,     rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie prefix.
    (CVE-2020-8184)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4583-2 advisory.

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when AES-CCM mode is used     with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can     lead to both decreased security and incorrect encryption data. (CVE-2020-7069)

  - In PHP versions 7.2.x below 7.2.34, 7.3.x below 7.3.23 and 7.4.x below 7.4.11, when PHP is processing     incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like
    __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge     cookie which is supposed to be secure. See also CVE-2020-8184 for more information. (CVE-2020-7070)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for php7 fixes the following issues :

  - CVE-2020-7069: Fixed an issue when AES-CCM mode was used     with openssl_encrypt() function with 12 bytes IV, only     first 7 bytes of the IV was used (bsc#1177351). 

  - CVE-2020-7070: Fixed an issue where percent-encoded     cookies could have been used to overwrite existing     prefixed cookie names (bsc#1177352).

This update was imported from the SUSE:SLE-15-SP2:Update update project.

According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x prior to 7.2.34, 7.3.x prior to 7.3.23 or 7.4.x prior to 7.4.11. It is, therefore, affected by multiple vulnerabilties: 

  - A weak cryptography vulnerability exists in PHP's openssl_encrypt function due to a failure to utilize   all provided IV bytes. An unauthenticated, remote attacker could exploit this to reduce the level of   security provided by the encryption scheme or affect the integrity of the encrypted data (CVE-2020-7069).

  - A cookie forgery vulnerability exists in PHP's HTTP processing functionality. An unauthenticated,   remote could expoit this to forge HTTP cookies which were supposed to be secure. (CVE-2020-7070)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version

According to its self-reported version number, the version of PHP running on the remote web server is 7.2.x prior to 7.2.34, 7.3.x prior to 7.3.23 or 7.4.x prior to 7.4.11. It is, therefore, affected by multiple vulnerabilities:

 - When AES-CCM mode is used with openssl_encrypt() function with 12 bytes IV, only first 7 bytes of the IV is actually used. This can lead to both decreased security and incorrect encryption data. (CVE-2020-7069)

 - When PHP is processing incoming HTTP cookie values, the cookie names are url-decoded. This may lead to cookies with prefixes like __Host confused with cookies that decode to such prefix, thus leading to an attacker being able to forge cookie which is supposed to be secure. (CVE-2020-7070)

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

**PHP version 7.4.11** (01 Oct 2020)

**Core:**

  - Fixed bug php#79699 (PHP parses encoded cookie names so     malicious `__Host-` cookies can be sent).
    (**CVE-2020-7070**) (Stas)

  - Fixed bug php#79979 (passing value to by-ref param via     CUFA crashes). (cmb, Nikita)

  - Fixed bug php#80037 (Typed property must not be accessed     before initialization when __get() declared). (Nikita)

  - Fixed bug php#80048 (Bug php#69100 has not been fixed     for Windows). (cmb)

  - Fixed bug php#80049 (Memleak when coercing integers to     string via variadic argument). (Nikita)

**Calendar:**

  - Fixed bug php#80007 (Potential type confusion in     unixtojd() parameter parsing). (Andy Postnikov)

**OPcache:**

  - Fixed bug php#80002 (calc free space for new interned     string is wrong). (t-matsuno)

  - Fixed bug php#80046 (FREE for SWITCH_STRING optimized     away). (Nikita)

  - Fixed bug php#79825 (opcache.file_cache causes SIGSEGV     when custom opcode handlers changed). (SammyK)

**OpenSSL:**

  - Fixed bug php#79601 (Wrong ciphertext/tag in AES-CCM     encryption for a 12 bytes IV). (**CVE-2020-7069**)     (Jakub Zelenka)

**PDO:**

  - Fixed bug php#80027 (Terrible performance using     $query->fetch on queries with many bind parameters     (Matteo)

**Standard:**

  - Fixed bug php#79986 (str_ireplace bug with diacritics     characters). (cmb)

  - Fixed bug php#80077 (getmxrr test bug). (Rainer Jung)

  - Fixed bug php#72941 (Modifying bucket->data by-ref has     no effect any longer). (cmb)

  - Fixed bug php#80067 (Omitting the port in bindto setting     errors). (cmb)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

**PHP version 7.3.23** (01 Oct 2020)

**Core:**

  - Fixed bug php#80048 (Bug php#69100 has not been fixed     for Windows). (cmb)

  - Fixed bug php#80049 (Memleak when coercing integers to     string via variadic argument). (Nikita)

  - Fixed bug php#79699 (PHP parses encoded cookie names so     malicious `__Host-` cookies can be sent).
    (**CVE-2020-7070**) (Stas)

**Calendar:**

  - Fixed bug php#80007 (Potential type confusion in     unixtojd() parameter parsing). (Andy Postnikov)

**OPcache:**

  - Fixed bug php#80002 (calc free space for new interned     string is wrong). (t-matsuno)

  - Fixed bug php#79825 (opcache.file_cache causes SIGSEGV     when custom opcode handlers changed). (SammyK)

**OpenSSL:**

  - Fixed bug php#79601 (Wrong ciphertext/tag in AES-CCM     encryption for a 12 bytes IV). (**CVE-2020-7069**)     (Jakub Zelenka)

**PDO:**

  - Fixed bug php#80027 (Terrible performance using     $query->fetch on queries with many bind parameters     (Matteo)

**Standard:**

  - Fixed bug php#79986 (str_ireplace bug with diacritics     characters). (cmb)

  - Fixed bug php#80077 (getmxrr test bug). (Rainer Jung)

  - Fixed bug php#72941 (Modifying bucket->data by-ref has     no effect any longer). (cmb)

  - Fixed bug php#80067 (Omitting the port in bindto setting     errors). (cmb)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
144602	GLSA-202012-16 : PHP: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
143783	SUSE SLES12 Security Update : php74 (SUSE-SU-2020:2896-1)	Nessus	SuSE Local Security Checks	medium
143744	SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2020:2997-1)	Nessus	SuSE Local Security Checks	medium
143672	SUSE SLES12 Security Update : php72 (SUSE-SU-2020:2943-1)	Nessus	SuSE Local Security Checks	medium
143640	SUSE SLED15 / SLES15 Security Update : php7 (SUSE-SU-2020:2941-1)	Nessus	SuSE Local Security Checks	medium
142167	EulerOS 2.0 SP8 : php (EulerOS-SA-2020-2316)	Nessus	Huawei Local Security Checks	medium
142078	openSUSE Security Update : php7 (openSUSE-2020-1767)	Nessus	SuSE Local Security Checks	medium
141980	Amazon Linux AMI : php72 (ALAS-2020-1440)	Nessus	Amazon Linux Local Security Checks	medium
141936	Ubuntu 20.10 : PHP vulnerabilities (USN-4583-2)	Nessus	Ubuntu Local Security Checks	medium
141662	openSUSE Security Update : php7 (openSUSE-2020-1703)	Nessus	SuSE Local Security Checks	medium
141355	PHP 7.2 < 7.2.34 / 7.3.x < 7.3.23 / 7.4.x < 7.4.11 Mulitiple Vulnerabilities	Nessus	CGI abuses	medium
112604	PHP 7.2.x < 7.2.34 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
112603	PHP 7.3.x < 7.3.23 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
112602	PHP 7.4.x < 7.4.11 Multiple Vulnerabilities	Web Application Scanning	Component Vulnerability	medium
141299	Fedora 33 : php (2020-4573f0e03a)	Nessus	Fedora Local Security Checks	medium
141296	Fedora 32 : php (2020-4fe6b116e5)	Nessus	Fedora Local Security Checks	medium
141295	Fedora 31 : php (2020-94763cb98b)	Nessus	Fedora Local Security Checks	medium

CVE-2020-7069

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Configuration 2

Tenable Plugins