PHP 5.4.x < 5.4.45 / 5.5.x < 5.5.29 / 5.6.x < 5.6.13 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 8861

Synopsis

The remote web server uses a version of PHP that is affected by multiple vulnerabilities.

Description

Versions of PHP 5.4.x prior to 5.4.45, 5.5.x prior to 5.5.29, or 5.6.x prior to 5.6.13 are vulnerable to the following issues :

- A use-after-free error exists in the unserialize() function in 'ext/spl/spl_observer.c'. The issue is triggered as user-supplied input is not sanitized. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- A type confusion flaw affects the serialize_function_call() function in 'ext/soap/soap.c'. The issue is triggered when handling input passed via the header field. This may allow a remote attacker to execute arbitrary code.
- A use-after-free error affects the object_custom() function in 'ext/standard/var_unserializer.c'. The issue is triggered when handling user-supplied input. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- A use-after-free error affects the unserialize() function in 'ext/spl/spl_dllist.c'. The issue is triggered during the deserialization of user-supplied input. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- An out-of-bounds read flaw in the exif_process_IFD_TAG() function in 'ext/exif/exif.c' that is triggered when handling TIFF IFD tags. This may allow a context-dependent attacker to crash an application linked against PHP or potentially disclose memory contents.
- An overflow condition exists in the php_pcre_match_impl() function in 'ext/pcre/php_pcre.c'. The issue is triggered as user-supplied input is not properly validated. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
- A flaw exists in the php_pcre_split_impl() function in 'ext/pcre/php_pcre.c'. The flaw is triggered during the handling of offsets that consist of a start and end position within the subject string, which can cause an exhaustion of memory resources. This may allow a remote attacker to exhaust available memory.
- An overflow condition affects the php_pcre_replace_impl() function in 'ext/pcre/php_pcre.c'. The issue is triggered as user-supplied input is not properly validated when handling offsets. This may allow a remote attacker to cause a heap-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.
- A use-after-free error exists in the php_var_unserialize() function of the session deserializer (php_binary/php_serialize). The issue is triggered when deserializing multiple forms of data. This may allow a remote attacker to dereference already freed memory and potentially execute arbitrary code.
- A NULL pointer dereference flaw exists in the xsl_ext_function_php() function in 'ext/xsl/xsltprocessor.c' that is triggered as checks are not properly performed on user-supplied input. This may allow a remote attacker to cause a denial of service.
- A flaw exists that allows traversing outside of a restricted path. The issue is due to the php_zip_extract_file() function in 'ext/zip/php_zip.c' not properly sanitizing user input, specifically path traversal style attacks (e.g. '../') passed to the ZipArchive::extractTo() method. This may allow a remote attacker to create arbitrary directories.

Solution

Upgrade to PHP version 5.6.13 or later. If 5.6.13 cannot be installed, 5.4.45 and 5.5.29 are also patched for these vulnerabilities.

See Also

http://php.net/ChangeLog-5.php#5.6.13

http://php.net/ChangeLog-5.php#5.5.29

http://php.net/ChangeLog-5.php#5.4.45

Plugin Details

Severity: Critical

ID: 8861

Family: Web Servers

Published: 2015/09/14

Updated: 2019/03/06

Dependencies: 8682

Nessus ID: 85885, 85886, 85887

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2015/09/03

Vulnerability Publication Date: 2015/09/10

Reference Information

CVE: CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, CVE-2015-6838

BID: 76644, 76649, 76733, 76734, 76738