Vulnerabilities > CVE-2018-10545 - Information Exposure vulnerability in PHP

047910
CVSS 1.9 - LOW
Attack vector
LOCAL
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE

Summary

An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.

Vulnerable Configurations

Part Description Count
Application
Php
998
Application
Netapp
1
OS
Canonical
5
OS
Debian
3

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyMisc.
    NASL idSECURITYCENTER_5_7_1_TNS_2018_12.NASL
    descriptionAccording to its self-reported version, the Tenable SecurityCenter application installed on the remote host is prior to 5.7.1. It is, therefore, affected by multiple vulnerabilities. Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-06-01
    modified2020-06-02
    plugin id117672
    published2018-09-24
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117672
    titleTenable SecurityCenter < 5.7.1 Multiple Vulnerabilities (TNS-2018-12)
  • NASL familyCGI abuses
    NASL idPHP_7_0_30.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.0.x prior to 7.0.30. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id109577
    published2018-05-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109577
    titlePHP 7.0.x < 7.0.30 Multiple Vulnerabilities
  • NASL familyCGI abuses
    NASL idPHP_7_2_5.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.2.x prior to 7.2.5. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id109579
    published2018-05-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109579
    titlePHP 7.2.x < 7.2.5 Stack Buffer Overflow
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1397.NASL
    descriptionSeveral vulnerabilities were found in PHP, a widely-used open source general purpose scripting language : CVE-2018-7584 A stack-buffer-overflow while parsing HTTP response results in copying a large string and possible memory corruption and/or denial of service CVE-2018-10545 Dumpable FPM child processes allow bypassing opcache access controls resulting in potential information disclosure where one user can obtain information about another user
    last seen2020-06-01
    modified2020-06-02
    plugin id110697
    published2018-06-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110697
    titleDebian DLA-1397-1 : php5 security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1291-1.NASL
    descriptionThis update for php5 fixes the following issues: Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-21
    modified2019-01-02
    plugin id120023
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120023
    titleSUSE SLES12 Security Update : php5 (SUSE-SU-2018:1291-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2649.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - ** DISPUTED ** Integer overflow in the php_raw_url_encode function in ext/standard/url.c in PHP before 5.5.34, 5.6.x before 5.6.20, and 7.x before 7.0.5 allows remote attackers to cause a denial of service (application crash) via a long string to the rawurlencode function. NOTE: the vendor says
    last seen2020-05-08
    modified2019-12-18
    plugin id132184
    published2019-12-18
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132184
    titleEulerOS 2.0 SP3 : php (EulerOS-SA-2019-2649)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201812-01.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201812-01 (PHP: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in PHP. Please review the referenced CVE identifiers for details. Impact : An attacker could cause a Denial of Service condition or obtain sensitive information. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id119320
    published2018-12-03
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119320
    titleGLSA-201812-01 : PHP: Multiple vulnerabilities
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4240.NASL
    descriptionSeveral vulnerabilities were found in PHP, a widely-used open source general purpose scripting language : - CVE-2018-7584 Buffer underread in parsing HTTP responses - CVE-2018-10545 Dumpable FPM child processes allowed the bypass of opcache access controls - CVE-2018-10546 Denial of service via infinite loop in convert.iconv stream filter - CVE-2018-10547 The fix for CVE-2018-5712 (shipped in DSA 4080) was incomplete - CVE-2018-10548 Denial of service via malformed LDAP server responses - CVE-2018-10549 Out-of-bounds read when parsing malformed JPEG files
    last seen2020-06-01
    modified2020-06-02
    plugin id110928
    published2018-07-06
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110928
    titleDebian DSA-4240-1 : php7.0 - security update
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1176-1.NASL
    descriptionThis update for php7 fixes the following issues: Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-03-21
    modified2019-01-02
    plugin id120021
    published2019-01-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120021
    titleSUSE SLES12 Security Update : php7 (SUSE-SU-2018:1176-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1294-1.NASL
    descriptionThis update for php53 fixes the following issues: Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id109860
    published2018-05-16
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109860
    titleSUSE SLES11 Security Update : php53 (SUSE-SU-2018:1294-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3646-1.NASL
    descriptionIt was discovered that PHP incorrectly handled opcache access controls when configured to use PHP-FPM. A local user could possibly use this issue to obtain sensitive information from another user
    last seen2020-06-01
    modified2020-06-02
    plugin id109812
    published2018-05-15
    reporterUbuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109812
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.10 / 18.04 LTS : php5, php7.0, php7.1, php7.2 vulnerabilities (USN-3646-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1373.NASL
    descriptionSeveral issues have been discovered in PHP (recursive acronym for PHP: Hypertext Preprocessor), a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. CVE-2018-10545 Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user
    last seen2020-03-17
    modified2018-05-10
    plugin id109657
    published2018-05-10
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109657
    titleDebian DLA-1373-1 : php5 security update
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-465.NASL
    descriptionThis update for php5 fixes the following issues : Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-05-17
    plugin id109878
    published2018-05-17
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109878
    titleopenSUSE Security Update : php5 (openSUSE-2018-465)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-2438.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.(CVE-2019-11043) - The finish_nested_data function in ext/standard/var_unserializer.re in PHP before 5.6.31, 7.0.x before 7.0.21, and 7.1.x before 7.1.7 is prone to a buffer over-read while unserializing untrusted data. Exploitation of this issue can have an unspecified impact on the integrity of PHP.(CVE-2017-12933) - ext/standard/var_unserializer.c in PHP before 5.6.25 and 7.x before 7.0.10 mishandles certain invalid objects, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that leads to a (1) __destruct call or (2) magic method call.(CVE-2016-7124) - The match function in pcre_exec.c in PCRE before 8.37 mishandles the /(?:((abcd))|(((?:(?:(?:(?:abc|(?:abcdef))))b)abcdefghi )abc)|((*ACCEPT)))/ pattern and related patterns involving (*ACCEPT), which allows remote attackers to obtain sensitive information from process memory or cause a denial of service (partially initialized memory and application crash) via a crafted regular expression, as demonstrated by a JavaScript RegExp object encountered by Konqueror, aka ZDI-CAN-2547.(CVE-2015-8382) - An issue was discovered in PHP before 5.6.33, 7.0.x before 7.0.27, 7.1.x before 7.1.13, and 7.2.x before 7.2.1. There is Reflected XSS on the PHAR 404 error page via the URI of a request for a .phar file.(CVE-2018-5712) - exif_process_IFD_in_MAKERNOTE in ext/exif/exif.c in PHP before 5.6.37, 7.0.x before 7.0.31, 7.1.x before 7.1.20, and 7.2.x before 7.2.8 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted JPEG file.(CVE-2018-14851) - The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.(CVE-2016-7480) - ext/standard/var_unserializer.re in PHP before 5.6.26 mishandles object-deserialization failures, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via an unserialize call that references a partially constructed object.(CVE-2016-7411) - The odbc_bindcols function in ext/odbc/php_odbc.c in PHP before 5.6.12 mishandles driver behavior for SQL_WVARCHAR columns, which allows remote attackers to cause a denial of service (application crash) in opportunistic circumstances by leveraging use of the odbc_fetch_array function to access a certain type of Microsoft SQL Server table.(CVE-2015-8879) - In PHP before 5.6.32, 7.x before 7.0.25, and 7.1.x before 7.1.11, an error in the date extension
    last seen2020-05-08
    modified2019-12-04
    plugin id131592
    published2019-12-04
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/131592
    titleEulerOS 2.0 SP2 : php (EulerOS-SA-2019-2438)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-441.NASL
    descriptionThis update for php7 fixes the following issues : Security issues fixed : - CVE-2018-10545: Fix access controls in FPM child processes (bsc#1091367). - CVE-2018-10547: Fix Reflected XSS on the PHAR 403 and 404 error pages (bsc#1091362). - CVE-2018-10546: Fix an infinite loop exists in ext/iconv/iconv.c (bsc#1091363). - CVE-2018-10548: Fix remote denial of service in ext/ldap/ldap.c (bsc#1091355). This update was imported from the SUSE:SLE-12:Update update project.
    last seen2020-06-05
    modified2018-05-11
    plugin id109714
    published2018-05-11
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109714
    titleopenSUSE Security Update : php7 (openSUSE-2018-441)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1984.NASL
    descriptionAccording to the versions of the php packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The get_icu_disp_value_src_php function in ext/intl/locale/locale_methods.c in PHP before 5.3.29, 5.4.x before 5.4.30, and 5.5.x before 5.5.14 does not properly restrict calls to the ICU uresbund.cpp component, which allows remote attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a locale_get_display_name call with a long first argument.(CVE-2014-9912) - Use-after-free vulnerability in the spl_ptr_heap_insert function in ext/spl/spl_heap.c in PHP before 5.5.27 and 5.6.x before 5.6.11 allows remote attackers to execute arbitrary code by triggering a failed SplMinHeap::compare operation.(CVE-2015-4116) - A flaw was found in the way the way PHP
    last seen2020-05-08
    modified2019-09-24
    plugin id129178
    published2019-09-24
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/129178
    titleEulerOS 2.0 SP5 : php (EulerOS-SA-2019-1984)
  • NASL familyCGI abuses
    NASL idPHP_5_6_35.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 5.6.x prior to 5.6.35. It is, therefore, affected by a security bypass vulnerability. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user
    last seen2020-06-01
    modified2020-06-02
    plugin id122591
    published2019-03-04
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/122591
    titlePHP 5.6.x < 5.6.35 Security Bypass Vulnerability
  • NASL familyCGI abuses
    NASL idPHP_7_1_17.NASL
    descriptionAccording to its banner, the version of PHP running on the remote web server is 7.1.x prior to 7.1.17. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-06-01
    modified2020-06-02
    plugin id109578
    published2018-05-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109578
    titlePHP 7.1.x < 7.1.17 Multiple Vulnerabilities

Redhat

advisories
rhsa
idRHSA-2019:2519
rpms
  • rh-php71-php-0:7.1.30-1.el7
  • rh-php71-php-bcmath-0:7.1.30-1.el7
  • rh-php71-php-cli-0:7.1.30-1.el7
  • rh-php71-php-common-0:7.1.30-1.el7
  • rh-php71-php-dba-0:7.1.30-1.el7
  • rh-php71-php-dbg-0:7.1.30-1.el7
  • rh-php71-php-debuginfo-0:7.1.30-1.el7
  • rh-php71-php-devel-0:7.1.30-1.el7
  • rh-php71-php-embedded-0:7.1.30-1.el7
  • rh-php71-php-enchant-0:7.1.30-1.el7
  • rh-php71-php-fpm-0:7.1.30-1.el7
  • rh-php71-php-gd-0:7.1.30-1.el7
  • rh-php71-php-gmp-0:7.1.30-1.el7
  • rh-php71-php-intl-0:7.1.30-1.el7
  • rh-php71-php-json-0:7.1.30-1.el7
  • rh-php71-php-ldap-0:7.1.30-1.el7
  • rh-php71-php-mbstring-0:7.1.30-1.el7
  • rh-php71-php-mysqlnd-0:7.1.30-1.el7
  • rh-php71-php-odbc-0:7.1.30-1.el7
  • rh-php71-php-opcache-0:7.1.30-1.el7
  • rh-php71-php-pdo-0:7.1.30-1.el7
  • rh-php71-php-pgsql-0:7.1.30-1.el7
  • rh-php71-php-process-0:7.1.30-1.el7
  • rh-php71-php-pspell-0:7.1.30-1.el7
  • rh-php71-php-recode-0:7.1.30-1.el7
  • rh-php71-php-snmp-0:7.1.30-1.el7
  • rh-php71-php-soap-0:7.1.30-1.el7
  • rh-php71-php-xml-0:7.1.30-1.el7
  • rh-php71-php-xmlrpc-0:7.1.30-1.el7
  • rh-php71-php-zip-0:7.1.30-1.el7