SB2014061501 - Amazon Linux AMI update for php55

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2014061501

SB2014061501 - Amazon Linux AMI update for php55

Published: June 15, 2014

Security Bulletin ID SB2014061501
Severity
Low
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Denial of service

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Denial of service (CVE-ID: CVE-2014-0237)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 due to performance degradation. A remote attacker can trigger many file_printf calls and cause the service to crash.


2) Infinite loop (CVE-ID: CVE-2014-0238)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to infinite loop in the cdf_read_property_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13. A remote attacker can trigger out-of-bounds memory access via a vector that (1) has zero length or (2) is too long and cause the service to crash.

Remediation

Install update from vendor's website.

References