SUSE Linux update for php5
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2016-7411 CVE-2016-7412 CVE-2016-7413 CVE-2016-7414 CVE-2016-7416 CVE-2016-7417 CVE-2016-7418 |
| CWE-ID | CWE-284 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software Subscribe |
PHP-Nuke Web applications / CMS PHP Universal components / Libraries / Scripting languages |
| Vendor |
Phpnuke.org PHP Group |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Arbitrary code execution
EUVDB-ID: #VU529
Risk: High
CVSSv3.1:
CVE-ID: CVE-2016-7411
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by deserialized object destruction that may result in memory corruption error and allows a malicious user to execute arbitrary code.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Update the affected packages.
PHP-Nuke: 5.6
Fixed software versionsCPE2.3 External links
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
2) Arbitrary code execution
EUVDB-ID: #VU524
Risk: High
CVSSv3.1:
CVE-ID: CVE-2016-7412
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by heap overflow during handling of BIT fields in mysqlnd that allows a malicious user to execute arbitrary code.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Update the affected packages.
PHP: 5.6.26 - 7.0.11
Fixed software versionsCPE2.3 External links
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
3) Arbitrary code execution
EUVDB-ID: #VU527
Risk: High
CVSSv3.1:
CVE-ID: CVE-2016-7413
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by use-after-free memory error in wddx_deserialize() that allows a malicious user to execute arbitrary code.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Update the affected packages.
PHP: 5.6.26 - 7.0.11
Fixed software versionsCPE2.3 External links
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
4) Arbitrary code execution
EUVDB-ID: #VU525
Risk: High
CVSSv3.1:
CVE-ID: CVE-2016-7414
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by out-of-bounds memory error in phar_parse_zipfile() that allows a malicious user to execute arbitrary code.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Update the affected packages.
PHP: 5.6.26 - 7.0.11
Fixed software versionsCPE2.3 External links
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
5) Arbitrary code execution
EUVDB-ID: #VU523
Risk: High
CVSSv3.1:
CVE-ID: CVE-2016-7416
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by memory corruption in local data handling that allows a malicious user to get access to the system and cause arbitrary code execution.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Update the affected packages.
PHP: 5.6.26 - 7.0.11
Fixed software versionsCPE2.3 External links
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
6) Arbitrary code execution
EUVDB-ID: #VU526
Risk: High
CVSSv3.1:
CVE-ID: CVE-2016-7417
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by unserializing SplArray that leads to memory corruption error and allows a malicious user to execute arbitrary code.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Update the affected packages.
PHP: 5.6.26 - 7.0.11
Fixed software versionsCPE2.3 External links
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
7) Arbitrary code execution
EUVDB-ID: #VU528
Risk: High
CVSSv3.1:
CVE-ID: CVE-2016-7418
CWE-ID:
Exploit availability:
DescriptionThe vulnerability allows a remote or local user to cause arbitrary code execution on the target system.
The weakness is caused by out-of-bounds memory read error in php_wddx_push_element() that allows a malicious user to execute arbitrary code.
Successful explotation of the vulnerability may result in arbitrary code execution on the vulnerable system.
Update the affected packages.
PHP: 5.6.26 - 7.0.11
Fixed software versionsCPE2.3 External links
http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00017.html
Q & A
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?
