PHP 7.0.x < 7.0.15 / 7.1.x < 7.1.1 Multiple Vulnerabilities

critical Nessus Network Monitor Plugin ID 9938

Synopsis

The remote web server uses a version of PHP that is affected by multiple attack vectors.

Description

Versions of PHP 7.0.x prior to 7.0.15 and 7.1.x prior to 7.1.1 are affected by multiple vulnerabilities :

- An out-of-bounds read flaw exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c' that is triggered when handling phar archives. This may allow a remote attacker to cause a denial of service.
- A floating pointer exception flaw exists in the 'exif_convert_any_to_int()' function in 'ext/exif/exif.c' that is triggered when handling TIFF and JPEG image tags. This may allow a remote attacker to cause a crash.
- A NULL pointer dereference flaw exists in the 'php_wddx_pop_element()' function in 'ext/wddx/wddx.c' that is triggered as certain input is not properly validated. This may allow a remote attacker to cause a crash.
- An off-by-one overflow condition exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c' that is triggered when parsing phar archives. This may allow a remote attacker to cause a limited buffer overflow, resulting in a crash.
- An integer overflow condition exists in the '_zend_hash_init()' function in 'Zend/zend_hash.c'. The issue is triggered as certain input is not properly validated when handling unserialized objects. This may allow a remote attacker to potentially execute arbitrary code.
- An out-of-bounds read flaw exists in the 'finish_nested_data()' function in 'ext/standard/var_unserializer.c' that is triggered when handling unserialized data. This may allow a remote attacker to crash a process built with the language or potentially disclose memory contents.
- An integer overflow condition exists in the 'phar_parse_pharfile()' function in 'ext/phar/phar.c'. The issue is triggered as certain input is not properly validated when handling phar archives. This may allow a context-dependent attacker to crash a process built with the language.
- A type confusion flaw exists that is triggered during the deserialization of specially crafted GMP objects. This may allow a remote attacker to crash a process utilizing the language.
- A type confusion flaw exists that is triggered when deserializing ZVAL objects. This may allow a remote attacker to potentially execute arbitrary code.
- An unspecified signed integer overflow condition exists in 'gd_io.c'. The issue is triggered as certain input is not properly validated. This may allow an attacker to have an unspecified impact. No further details have been provided.

Solution

Upgrade to PHP version 7.1.1. If 7.1.x cannot be obtained, 7.0.15 has also been patched for these vulnerabilities.

See Also

http://php.net/ChangeLog-7.php#7.0.15

http://php.net/ChangeLog-7.php#7.1.1

Plugin Details

Severity: Critical

ID: 9938

Family: Web Servers

Published: 2/3/2017

Updated: 3/6/2019

Nessus ID: 96800

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:php:php

Patch Publication Date: 1/19/2017

Vulnerability Publication Date: 1/19/2017

Reference Information

CVE: CVE-2016-10158, CVE-2016-10159, CVE-2016-10160, CVE-2016-10161, CVE-2016-10162, CVE-2016-10168, CVE-2017-5340

BID: 95764, 95768, 95774, 95783, 95869, 92374, 95668