PHP 7.0.x < 7.0.15 / 7.1.x < 7.1.1 Multiple Vulnerabilities

Critical Nessus Network Monitor Plugin ID 9938

Synopsis

The remote web server uses a version of PHP that is affected by multiple attack vectors.

Description

Versions of PHP 7.0.x prior to 7.0.15 and 7.1.x prior to 7.1.1 are affected by multiple vulnerabilities :

- An out-of-bounds read flaw exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c' that is triggered when handling phar archives. This may allow a remote attacker to cause a denial of service. (OSVDB 149621)
- A floating pointer exception flaw exists in the 'exif_convert_any_to_int()' function in 'ext/exif/exif.c' that is triggered when handling TIFF and JPEG image tags. This may allow a remote attacker to cause a crash. (OSVDB 149623)
- A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c' that is triggered as certain input is not properly validated. This may allow a remote attacker to cause a crash. (OSVDB 149628)
- An off-by-one overflow condition exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c' that is triggered when parsing phar archives. This may allow a remote attacker to cause a limited buffer overflow, resulting in a crash. (OSVDB 149629)
- An integer overflow condition exists in the '_zend_hash_init()' function in 'Zend/zend_hash.c'. The issue is triggered as certain input is not properly validated when handling unserialized objects. This may allow a remote attacker to potentially execute arbitrary code. (OSVDB 149664)
- An out-of-bounds read flaw exists in the 'finish_nested_data()' function in 'ext/standard/var_unserializer.c' that is triggered when handling unserialized data. This may allow a remote attacker to crash a process built with the language or potentially disclose memory contents. (OSVDB 149665)
- An integer overflow condition exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c'. The issue is triggered as certain input is not properly validated when handling phar archives. This may allow a context-dependent attacker to crash a process built with the language. (OSVDB 149666)
- A type confusion flaw exists that is triggered during the deserialization of specially crafted GMP objects. This may allow a remote attacker to crash a process utilizing the language. (OSVDB 150227)
- A type confusion flaw exists that is triggered when deserializing ZVAL objects. This may allow a remote attacker to potentially execute arbitrary code. (OSVDB 150228)
- An unspecified signed integer overflow condition exists in 'gd_io.c'. The issue is triggered as certain input is not properly validated. This may allow an attacker to have an unspecified impact. No further details have been provided. (OSVDB 150680)

Solution

Upgrade to PHP version 7.1.1. If 7.1.x cannot be obtained, 7.0.15 has also been patched for these vulnerabilities.

See Also

http://php.net/ChangeLog-7.php#7.0.15

http://php.net/ChangeLog-7.php#7.1.1

Plugin Details

Severity: Critical

ID: 9938

File Name: 9938.prm

Family: Web Servers

Published: 2017/02/03

Modified: 2017/02/03

Dependencies: 9243

Nessus ID: 96800

Risk Information

Risk Factor: Critical

CVSSv2

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 2017/01/19

Vulnerability Publication Date: 2017/01/19

Reference Information

CVE: CVE-2016-1015, CVE-2016-1015, CVE-2016-1016, CVE-2016-1016, CVE-2016-1016, CVE-2016-1016, CVE-2017-5340

BID: 92374, 95668, 95764, 95768, 95774, 95783, 95869

OSVDB: 149621, 149623, 149628, 149629, 149664, 149665, 149666, 150227, 150228, 150680