Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

PHP 5.4.x < 5.4.36 / 5.5.x < 5.5.20 / 5.6.x < 5.6.4 Use-After-Free

High

Synopsis

The remote web server uses an outdated version of PHP, leaving it vulnerable to several issues.

Description

PHP versions earlier than 5.6.4, 5.5.20, and 5.4.36 are exposed to a use-after-free vulnerability in the 'process_nested_data' function in 'ext/standard/var_unserializer.re'. This allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object. (Bug 68594)

Solution

Apply the vendor's patch, or upgrade to the latest version. These issues have been fixed in versions 5.6.4, 5.5.20, and 5.4.36.