#VU33295 NULL pointer dereference in PHP - CVE-2014-2497

Cybersecurity Help s.r.o.

Published: 2014-03-21 | Updated: 2020-08-03

Vulnerability identifier: #VU33295

Vulnerability risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2014-2497

CWE-ID: CWE-476

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error. A remote attacker can trigger denial of service conditions via a crafted color table in an XPM file.

Mitigation
Update to version 5.4.27.

Vulnerable software versions

PHP: 5.4.0 - 5.4.26

External links
https://advisories.mageia.org/MGASA-2014-0288.html
https://lists.apple.com/archives/security-announce/2015/Apr/msg00001.html
https://lists.opensuse.org/opensuse-security-announce/2014-07/msg00001.html
https://lists.opensuse.org/opensuse-security-announce/2014-07/msg00002.html
https://rhn.redhat.com/errata/RHSA-2014-1326.html
https://rhn.redhat.com/errata/RHSA-2014-1327.html
https://rhn.redhat.com/errata/RHSA-2014-1765.html
https://rhn.redhat.com/errata/RHSA-2014-1766.html
https://secunia.com/advisories/59061
https://secunia.com/advisories/59418
https://secunia.com/advisories/59496
https://secunia.com/advisories/59652
https://www.debian.org/security/2015/dsa-3215
https://www.mandriva.com/security/advisories?name=MDVSA-2015:153
https://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
https://www.securityfocus.com/bid/66233
https://www.ubuntu.com/usn/USN-2987-1
https://bugs.php.net/bug.php?id=66901
https://bugzilla.redhat.com/show_bug.cgi?id=1076676
https://security.gentoo.org/glsa/201607-04
https://support.apple.com/HT204659

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for GD

Amazon Linux AMI update for php55

Slackware Linux update for php

NULL pointer dereference in php (Alpine package)

SUSE Linux update for PHP5

SUSE Linux update for php53

SUSE Linux update for PHP5

NULL pointer dereference in PHP