PHP 5.4.x < 5.4.30 / 5.5.x < 5.5.14 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 8320

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP 5.4.x earlier than 5.4.30, or 5.5.x earlier than 5.5.14 are exposed to the following issues :

- Boundary checking errors exist related to the Fileinfo extension, Composite Document Format (CDF) handling and the functions 'cdf_read_short_sector', 'cdf_check_stream_offset', 'cdf_count_chain' and 'cdf_read_property_info'. (CVE-2014-0207, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487)
- A pascal string size handling error exists related to the Fileinfo extension and the function 'mconvert'. (CVE-2014-3478)
- A type-confusion error exists related to the Standard PHP Library (SPL) extension and the function 'unserialize'. (CVE-2014-3515)
- An error exists related to configuration scripts and temporary file handling that could allow insecure file usage. (CVE-2014-3981)
- A heap-based buffer overflow error exists related to the function 'dns_get_record' that could allow execution of arbitrary code. (CVE-2014-4049)
- A type-confusion error exists related to the 'php_print_info' function which could allow disclosure of sensitive information. (CVE-2014-4721)
- An error exists related to the unserialization and 'SplFileObject' handling that could allow denial of service attacks. (Bug 67072)
- A double free error exists related to the 'Intl' extension and the method 'Locale::parseLocale' having an unspecified impact. (Bug 67349)
- A buffer overflow error exists related to the 'Intl' extension and the functions 'locale_get_display_name' and 'uloc_getDisplayName' having unspecified impact. (Bug 67397)
- An out-of-bounds read flaw affects the date_parse_from_format() function in 'ext/date/lib/parse_date.c' that is triggered as date parsing routines fail to check the end of strings. This may allow a remote attacker to crash an application linked against PHP or potentially disclose memory contents. (Bug 67251)
- An out-of-bounds read flaw affects the timelib_meridian_with_check() function in 'ext/date/lib/parse_date.c' that is triggered as string ends are not properly checked. This may allow a remote attacker to crash an application linked against PHP or potentially disclose memory contents. (Bug 67253)

Solution

Upgrade to PHP version 5.5.14 or later. If 5.5.x cannot be installed, 5.4.30 is also patched for these vulnerabilities.

See Also

http://www.php.net/ChangeLog-5.php#5.4.30

http://www.php.net/ChangeLog-5.php#5.5.14

https://bugs.php.net/bug.php?id=67072

https://bugs.php.net/bug.php?id=67251

https://bugs.php.net/bug.php?id=67253

https://bugs.php.net/bug.php?id=67326

https://bugs.php.net/bug.php?id=67349

https://bugs.php.net/bug.php?id=67390

https://bugs.php.net/bug.php?id=67397

https://bugs.php.net/bug.php?id=67410

https://bugs.php.net/bug.php?id=67411

https://bugs.php.net/bug.php?id=67412

https://bugs.php.net/bug.php?id=67413

https://bugs.php.net/bug.php?id=67432

https://bugs.php.net/bug.php?id=67492

https://bugs.php.net/bug.php?id=67498

http://seclists.org/oss-sec/2014/q3/29

Plugin Details

Severity: Critical

ID: 8320

Family: Web Servers

Published: 2014/07/02

Modified: 2016/11/23

Dependencies: 8682

Nessus ID: 76281, 76282

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2014/06/26

Vulnerability Publication Date: 2014/06/26

Reference Information

CVE: CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3515, CVE-2014-3981, CVE-2014-4049, CVE-2014-4721

BID: 67837, 68007, 68120, 68237, 68238, 68239, 68241, 68243, 68423, 68550