SB2014090407 - Multiple vulnerabilities in HP-UX Apache Server Suite running Apache Tomcat or PHP

Description

This security bulletin contains information about 14 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2014-3478)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to buffer overflow in the mconvert function in softmagic.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can trigger memory corruption via a crafted Pascal string in a FILE_PSTRING conversion and cause the service to crash.

2) Heap-based buffer overflow (CVE-ID: CVE-2014-4049)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to heap-based buffer overflow in the php_parserr function in ext/standard/dns.c. A remote attacker can trigger memory corruption via a crafted DNS TXT record, related to the dns_get_record function and cause the service to crash or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

3) Link following (CVE-ID: CVE-2014-3981)

The vulnerability allows a remote non-authenticated attacker to manipulate or delete data.

acinclude.m4, as used in the configure script in PHP 5.5.13 and earlier, allows local users to overwrite arbitrary files via a symlink attack on the /tmp/phpglibccheck file.

4) Type Confusion (CVE-ID: CVE-2014-3515)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in (1) ArrayObject and (2) SPLObjectStorage. when the SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization. A remote attacker can trigger a type confusion error via a crafted string that triggers use of a Hashtable destructor and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

5) Input validation error (CVE-ID: CVE-2014-3487)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of a stream offset by the cdf_read_property_info function in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can cause the application to crash via a crafted CDF file.

6) Input validation error (CVE-ID: CVE-2014-3480)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of sector-count data by df_count_chain function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can cause application crash via a crafted CDF file.

7) Input validation error (CVE-ID: CVE-2014-3479)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when the cdf_check_stream_offset function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14, relies on incorrect sector-size data. A remote attacker can cause the service to crash via a crafted stream offset in a CDF file.

8) Reachable assertion (CVE-ID: CVE-2014-0207)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to assertion failure in the cdf_read_short_sector function in cdf.c in file before 5.19, as used in the Fileinfo component in PHP before 5.4.30 and 5.5.x before 5.5.14. A remote attacker can trigger reachable assertion via a specially crafted CDF file and cause the service to crash.

9) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0119)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to Apache Tomcat does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet. A remote attacker can read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or read files associated with different web applications on a single Tomcat instance via a crafted web application.

10) Integer overflow (CVE-ID: CVE-2014-0099)

The vulnerability allows a remote attacker to perform a HTTP request smuggling attack.

The vulnerability exists due to integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat when operated behind a reverse proxy. A remote attacker can conduct HTTP request smuggling attack via a crafted Content-Length HTTP header.

11) Input validation error (CVE-ID: CVE-2014-0098)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation.

12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2014-0096)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat does not properly restrict XSLT stylesheets. A remote attacker can bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

13) Integer overflow (CVE-ID: CVE-2014-0075)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat. A remote attacker can cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data.

14) Input validation error (CVE-ID: CVE-2013-6438)

The vulnerability allows a remote non-authenticated attacker to perform service disruption.

The dav_xml_get_cdata function in main/util.c in the mod_dav module in the Apache HTTP Server before 2.4.8 does not properly remove whitespace characters from CDATA sections, which allows remote attackers to cause a denial of service (daemon crash) via a crafted DAV WRITE request.

Remediation

Install update from vendor's website.

References

• https://support.hpe.com/hpesc/public/docDisplay?docLocale=en_US&docId=emr_na-c04223376