PHP 4.3.10 < 4.4.9 / 5.0.3 < 5.4.36 / 5.5.x < 5.5.20 / 5.6.x < 5.6.4 DoS

Medium Nessus Network Monitor Plugin ID 8922

Synopsis

The remote web server uses a version of PHP that is affected by a denial of service vulnerability.

Description

PHP versions 4.3.10 through 4.4.9, 5.0.3 prior to 5.4.36, 5.5.x prior to 5.5.20, and 5.6.x prior to 5.6.4 are affected by a denial of service vulnerability due to a NULL pointer dereference condition. Specifically, this issue affects the 'var_push_dtor()' function of the 'unserialize.c' source file. This may allow a remote attacker to crash the affected application, denying service to legitimate users. (Bug 68545)

Solution

Apply the vendor's patch, or upgrade to the latest version. These issues have been fixed in versions 5.4.36, 5.5.20, 5.6.4 and later.

See Also

https://bugs.php.net/bug.php?id=68545

http://php.net/ChangeLog-5.php#5.4.36

http://3v4l.org/BtYZg

Plugin Details

Severity: Medium

ID: 8922

Family: Web Servers

Published: 2015/02/25

Modified: 2018/09/16

Dependencies: 8682, 8728

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5

Temporal Score: 4.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 5.3

Temporal Score: 5.1

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2014/12/18

Vulnerability Publication Date: 2014/12/03

Reference Information

BID: 72491