Vulnerabilities > CVE-2017-12932 - Use After Free vulnerability in PHP
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
ext/standard/var_unserializer.re in PHP 7.0.x through 7.0.22 and 7.1.x through 7.1.8 is prone to a heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue can have an unspecified impact on the integrity of PHP.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Php
| 32 |
Common Weakness Enumeration (CWE)
Nessus
NASL family CGI abuses NASL id PHP_7_1_9.NASL description According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.9. It is, therefore, affected by a heap-based buffer overflow condition exists in the ext/standard/var_unserializer.re script due to improper use of the hash API for key deletion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 122543 published 2019-03-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122543 title PHP 7.1.x < 7.1.9 Heap-based Buffer Overflow Vulnerability code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(122543); script_version("1.2"); script_cvs_date("Date: 2019/10/31 15:18:51"); script_cve_id("CVE-2017-12932"); script_bugtraq_id(100427); script_name(english:"PHP 7.1.x < 7.1.9 Heap-based Buffer Overflow Vulnerability"); script_summary(english:"Checks the version of PHP."); script_set_attribute(attribute:"synopsis", value: "The version of PHP running on the remote web server is affected by a heap-based buffer overflow vulnerability."); script_set_attribute(attribute:"description", value: "According to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.9. It is, therefore, affected by a heap-based buffer overflow condition exists in the ext/standard/var_unserializer.re script due to improper use of the hash API for key deletion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"http://php.net/ChangeLog-7.php#7.1.9"); script_set_attribute(attribute:"solution", value: "Upgrade to PHP version 7.1.9 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-12932"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/17"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/03/01"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:php:php"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"CGI abuses"); script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("php_version.nasl"); script_require_keys("www/PHP"); script_require_ports("Services/www", 80); exit(0); } include("vcf.inc"); include("vcf_extras.inc"); include("http.inc"); include("webapp_func.inc"); vcf::php::initialize(); port = get_http_port(default:80, php:TRUE); app_info = vcf::php::get_app_info(port:port); constraints = [ { "min_version" : "7.1.0alpha0", "fixed_version" : "7.1.9" } ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2468-1.NASL description This update for php7 fixes several issues. These security issues were fixed : - CVE-2017-12932: Prevent heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054432). - CVE-2017-12934: Prevent heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054408). - CVE-2017-12933: The finish_nested_data function in ext/standard/var_unserializer.re was prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054430) The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-24 modified 2019-01-02 plugin id 120006 published 2019-01-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120006 title SUSE SLES12 Security Update : php7 (SUSE-SU-2017:2468-1) NASL family CGI abuses NASL id PHP_7_2_0.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.23. It is, therefore, affected by a heap-based buffer overflow condition exists in the ext/standard/var_unserializer.re script due to improper use of the hash API for key deletion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 122544 published 2019-03-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122544 title PHP 7.2.x < 7.2.0 Heap-based Buffer Overflow Vulnerability NASL family CGI abuses NASL id PHP_7_0_23.NASL description According to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.23. It is, therefore, affected by a heap-based buffer overflow condition exists in the ext/standard/var_unserializer.re script due to improper use of the hash API for key deletion. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 122539 published 2019-03-01 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122539 title PHP 7.0.x < 7.0.23 Heap-based Buffer Overflow Vulnerability NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1061.NASL description This update for php7 fixes several issues. These security issues were fixed : - CVE-2017-12932: Prevent heap use after free while unserializing untrusted data, related to improper use of the hash API for key deletion in a situation with an invalid array size. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054432). - CVE-2017-12934: Prevent heap use after free while unserializing untrusted data, related to the zval_get_type function in Zend/zend_types.h. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054408). - CVE-2017-12933: The finish_nested_data function in ext/standard/var_unserializer.re was prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue could have had an unspecified impact on the integrity of PHP (bsc#1054430) These non-security issues were fixed : - bsc#1057104: php7-devel now requires php7-pear - bsc#1057845: Fixed namespace encapsulation of imported classes/functions/constants This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2017-09-18 plugin id 103286 published 2017-09-18 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103286 title openSUSE Security Update : php7 (openSUSE-2017-1061) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4080.NASL description Several vulnerabilities were found in PHP, a widely-used open source general purpose scripting language : - CVE-2017-11144 Denial of service in openssl extension due to incorrect return value check of OpenSSL sealing function - CVE-2017-11145 Out-of-bounds read in wddx_deserialize() - CVE-2017-11628 Buffer overflow in PHP INI parsing API - CVE-2017-12932 / CVE-2017-12934 Use-after-frees during unserialisation - CVE-2017-12933 Buffer overread in finish_nested_data() - CVE-2017-16642 Out-of-bounds read in timelib_meridian() last seen 2020-06-01 modified 2020-06-02 plugin id 105663 published 2018-01-09 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105663 title Debian DSA-4080-1 : php7.0 - security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201709-21.NASL description The remote host is affected by the vulnerability described in GLSA-201709-21 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the referenced CVE identifiers for details. Impact : A remote attacker could execute arbitrary code with the privileges of the process or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 103449 published 2017-09-25 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103449 title GLSA-201709-21 : PHP: Multiple vulnerabilities
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- https://github.com/php/php-src/commit/1a23ebc1fff59bf480ca92963b36eba5c1b904c4
- https://bugs.php.net/bug.php?id=74103
- http://php.net/ChangeLog-7.php
- http://www.securityfocus.com/bid/100427
- https://security.gentoo.org/glsa/201709-21
- https://www.debian.org/security/2018/dsa-4080
- https://security.netapp.com/advisory/ntap-20180112-0001/
- https://access.redhat.com/errata/RHSA-2018:1296
- https://access.redhat.com/errata/RHSA-2019:2519