SB2018120716 - Multiple vulnerabilities in PHP
Published: December 7, 2018
Security Bulletin ID
SB2018120716
Severity
Low
Patch available
YES
Number of vulnerabilities
15
Exploitation vector
Remote access
Highest impact
Code execution
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 15 secuirty vulnerabilities.
1) Segmentation fault (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to segfault when using convert.quoted-printable-encode filter. A remote attacker can trigger segmentation fault and cause the service to crash.
2) NULL pointer dereference (CVE-ID: CVE-2018-19935)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to NULL pointer dereference in _php_imap_mail when improper check of wheater message. A remote attacker can supply specially crafted message, trigger NULL pointer dereference and cause the service to crash.
3) OS command injection (CVE-ID: CVE-2018-19158)
The vulnerability allows a remote attacker to execute arbitrary shell commands on the target system.The weakness exists due to OS command injection in imap_open. A remote attacker can bypass disabled exec functions in PHP and run arbitrary shell commands via mailbox parameter.
4) Heap-based buffer overflow (CVE-ID: CVE-2018-20783)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to heap-based buffer overflow while fuzzing with AFL using an ASAN instrumented PHP. A remote attacker can disable the ZEND allocator, use ASAN (or valgrind/etc?) with a crafted phar as input, trigger memory corruption and cause the service to crash.
5) Segmentation fault (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to segfault when removing part "<soap:header message="tns:requestheader" part="id" use="literal"/>" wsdl SoapClient. A remote attacker can trigger WSDL_CACHE_MEMORY and cause the service to crash.
6) Infinite loop (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to infinite loop. A remote attacker can run the test script without Opcache works fine, but with Opcache enabled to cause the service to crash.
7) Improper input validation (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to an error if response headers have been already sent or when calling session_id($id) before session_start(). A remote attacker can send response headers and cause the service to crash.
8) Segmentation fault (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to segmentation fault. A remote attacker can trigger recursion and cause the service to crash.
9) Memory corruption (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to boundary error. A remote attacker can trigger memory corruption and segmentation fault to cause the service to crash.
10) Segmentation fault (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to segfault while running PHPUnit tests of one of the libraries. A remote attacker can trigger segmentation fault to cause the service to crash.
11) XXE attack (CVE-ID: N/A)
The vulnerability allows a remote attacker to conduct XXE-attack on the target system.The vulnerability exists due to improper handling of XML External Entities (XXEs) when parsing an XML file. A remote attacker can trick the victim into open an XML file that submits malicious input and cause XML parser to stop parsing and xml_get_error_code() to return XML_ERROR_EXTERNAL_ENTITY_HANDLING.
12) Memory leak (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to memory leaks in zend_register_functions(), specifically the section related to the new code. A remote attacker can trigger memory leaks to cause the service to crash.
13) Segmentation fault (CVE-ID: N/A)
The vulnerability allows a remote attacker to cause DoS condition on the target system.The weakness exists due to segfault while fuzzing typed properties but reproducible on master. A remote attacker can trigger segmentation fault with divide-assign op and __get + __setto cause the service to crash.
14) Security restrictions bypass (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to protected method overrides a private one. A remote attacker can bypass protected method accessibility check.
15) Security restrictions bypass (CVE-ID: N/A)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.The weakness exists due to BCMath reports some errors and warnings (such as "exponent too large in raise") by directly writing to stderr[1]. A remote attacker can bypass PHP's error handling.
Remediation
Install update from vendor's website.
References
- https://bugs.php.net/bug.php?id=77231
- https://bugs.php.net/bug.php?id=77020
- https://bugs.php.net/bug.php?id=77153
- https://bugs.php.net/bug.php?id=77143
- https://bugs.php.net/bug.php?id=76348
- https://bugs.php.net/bug.php?id=76466
- https://bugs.php.net/bug.php?id=74941
- https://bugs.php.net/bug.php?id=74977
- https://bugs.php.net/bug.php?id=76818
- https://bugs.php.net/bug.php?id=76713
- https://bugs.php.net/bug.php?id=71592
- https://bugs.php.net/bug.php?id=75683
- https://bugs.php.net/bug.php?id=76667
- https://bugs.php.net/bug.php?id=76869
- https://bugs.php.net/bug.php?id=75169