Debian update for php5
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2017-11142 CVE-2017-11143 CVE-2017-11144 CVE-2017-11145 CVE-2017-11628 CVE-2017-12933 CVE-2017-16642 |
| CWE-ID | CWE-20 CWE-502 CWE-284 CWE-125 CWE-121 |
| Exploitation vector | Network |
| Public exploit | Public exploit code for vulnerability #7 is available. |
| Vulnerable software |
php (Debian package) Operating systems & Components / Operating system package or component |
| Vendor | Debian |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Improper input validation
EUVDB-ID: #VU9960
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-11142
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper check for variable length in main/php_variables.c. A remote attacker can cause a CPU consumption denial of service attack by injecting long form variables.
Update the affected package to version: 5.6.33+dfsg-0+deb8u1.
Vulnerable software versionsphp (Debian package): 5.6.0~rc1+dfsg-1 - 5.6.31+dfsg-0+deb8u1
CPE2.3- cpe:2.3:a:debian:php_debian_package:5.6.0~rc1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~beta1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~alpha1 dfsg-1:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2018/dsa-4081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Deserialization of untrusted data
EUVDB-ID: #VU9695
Risk: Low
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11143
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists in parser.c function due to deserialization of untrusted data. A remote attacker can inject specially crafted XML file and crash the PHP interpreter, related to an invalid free for an empty boolean element in ext/wddx/wddx.c.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: 5.6.33+dfsg-0+deb8u1.
Vulnerable software versionsphp (Debian package): 5.6.0~rc1+dfsg-1 - 5.6.31+dfsg-0+deb8u1
CPE2.3- cpe:2.3:a:debian:php_debian_package:5.6.0~rc1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~beta1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~alpha1 dfsg-1:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2018/dsa-4081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Denial of service
EUVDB-ID: #VU9716
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11144
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function. A remote attacker can trigger a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.
Successful exploitation of the vulnerability results in denial of service.
Update the affected package to version: 5.6.33+dfsg-0+deb8u1.
Vulnerable software versionsphp (Debian package): 5.6.0~rc1+dfsg-1 - 5.6.31+dfsg-0+deb8u1
CPE2.3- cpe:2.3:a:debian:php_debian_package:5.6.0~rc1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~beta1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~alpha1 dfsg-1:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2018/dsa-4081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Out-of-bounds read
EUVDB-ID: #VU8965
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-11145
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to out-of-bounds read in timelib_meridian(). A remote attacker can read arbitrary data on the target system.
Update the affected package to version: 5.6.33+dfsg-0+deb8u1.
Vulnerable software versionsphp (Debian package): 5.6.0~rc1+dfsg-1 - 5.6.31+dfsg-0+deb8u1
CPE2.3- cpe:2.3:a:debian:php_debian_package:5.6.0~rc1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~beta1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~alpha1 dfsg-1:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2018/dsa-4081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Stack-based buffer overflow
EUVDB-ID: #VU7356
Risk: High
CVSSv4.0: 8.1 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2017-11628
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or potentially execute arbitrary code.
The weakness exists due to stack buffer overflow in PHP INI parsing API 2 when handling malicious input. A remote attacker can send specially crafted data, trigger stack buffer overflow in zend_ini_do_op() that may lead to out-of-bounds write, cause the application to crash or execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update the affected package to version: 5.6.33+dfsg-0+deb8u1.
Vulnerable software versionsphp (Debian package): 5.6.0~rc1+dfsg-1 - 5.6.31+dfsg-0+deb8u1
CPE2.3- cpe:2.3:a:debian:php_debian_package:5.6.0~rc1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~beta1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~alpha1 dfsg-1:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2018/dsa-4081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Deserialization of untrusted data
EUVDB-ID: #VU9956
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-12933
CWE-ID:
CWE-502 - Deserialization of Untrusted Data
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a buffer over-read while unserializing untrusted data in the finish_nested_data function in ext/standard/var_unserializer.re. A remote attacker can perform a denial of service attack.
Mitigation
Update the affected package to version: 5.6.33+dfsg-0+deb8u1.
Vulnerable software versionsphp (Debian package): 5.6.0~rc1+dfsg-1 - 5.6.31+dfsg-0+deb8u1
CPE2.3- cpe:2.3:a:debian:php_debian_package:5.6.0~rc1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~beta1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~alpha1 dfsg-1:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2018/dsa-4081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Out-of-bounds read
EUVDB-ID: #VU8968
Risk: Low
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Clear]
CVE-ID: CVE-2017-16642
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to out-of-bounds read in timelib_meridian(). A remote attacker can cause the application to crash.
Update the affected package to version: 5.6.33+dfsg-0+deb8u1.
Vulnerable software versionsphp (Debian package): 5.6.0~rc1+dfsg-1 - 5.6.31+dfsg-0+deb8u1
CPE2.3- cpe:2.3:a:debian:php_debian_package:5.6.0~rc1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~beta1 dfsg-1:*:*:*:*:debian_linux:*:*
- cpe:2.3:a:debian:php_debian_package:5.6.0~alpha1 dfsg-1:*:*:*:*:debian_linux:*:*
https://www.debian.org/security/2018/dsa-4081
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
