#VU32500 Input validation error in PHP - CVE-2014-3538

Cybersecurity Help s.r.o.

Published: 2014-07-03 | Updated: 2020-07-28

Vulnerability identifier: #VU32500

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-3538

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can cause a denial of service (CPU consumption) via a crafted file that triggers backtracking during processing of an awk rule.

Mitigation
Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

PHP: 5.0 - 5.0.5, 5.1 - 5.1.6, 5.2.0 - 5.2.17, 5.3.0 - 5.3.29, 5.4.0 - 5.4.45, 5.5.0 - 5.5.38, 5.6.0 - 5.6.40

External links
https://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
https://mx.gw.com/pipermail/file/2014/001553.html
https://openwall.com/lists/oss-security/2014/06/30/7
https://rhn.redhat.com/errata/RHSA-2014-1327.html
https://rhn.redhat.com/errata/RHSA-2014-1765.html
https://rhn.redhat.com/errata/RHSA-2014-1766.html
https://rhn.redhat.com/errata/RHSA-2016-0760.html
https://secunia.com/advisories/60696
https://www.debian.org/security/2014/dsa-3008
https://www.debian.org/security/2014/dsa-3021
https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
https://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html
https://www.securityfocus.com/bid/68348
https://bugzilla.redhat.com/show_bug.cgi?id=1098222
https://github.com/file/file/commit/4a284c89d6ef11aca34da65da7d673050a5ea320
https://github.com/file/file/commit/69a5a43b3b71f53b0577f41264a073f495799610
https://github.com/file/file/commit/71a8b6c0d758acb0f73e2e51421a711b5e9d6668
https://github.com/file/file/commit/74cafd7de9ec99a14f4480927580e501c8f852c3
https://github.com/file/file/commit/758e066df72fb1ac08d2eea91ddc3973d259e991
https://support.apple.com/HT204659

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Slackware Linux update for php

Amazon Linux AMI update for file

Input validation error in php (Alpine package)

Input validation error in file (Alpine package)

Input validation error in PHP