#VU16092 Type Confusion in PHP - CVE-2014-3515

Cybersecurity Help s.r.o.

Published: 2018-11-27 | Updated: 2021-06-17

Vulnerability identifier: #VU16092

Vulnerability risk: High

CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]

CVE-ID: CVE-2014-3515

CWE-ID: CWE-843

Exploitation vector: Network

Exploit availability: Yes

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a type confusion error in (1) ArrayObject and (2) SPLObjectStorage. when the SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization. A remote attacker can trigger a type confusion error via a crafted string that triggers use of a Hashtable destructor and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation
Install update from vendor's website.

Vulnerable software versions

PHP: 5.4.0 - 5.4.29, 5.5.0 - 5.5.13

External links
https://bugs.php.net/bug.php?id=67492

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Ubuntu update for PHP

Multiple vulnerabilities in HP-UX Apache Server Suite running Apache Tomcat or PHP

Amazon Linux AMI update for php

Slackware Linux update for php

Amazon Linux AMI update for php55

Amazon Linux AMI update for php54