Multiple vulnerabilities in PHP
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 14 |
| CVE-ID | CVE-2017-9224 CVE-2017-9226 CVE-2017-9227 CVE-2017-9228 CVE-2017-9229 CVE-2017-11628 CVE-2017-11362 |
| CWE-ID | CWE-125 CWE-787 CWE-476 CWE-122 CWE-284 CWE-415 CWE-121 CWE-416 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
PHP Universal components / Libraries / Scripting languages |
| Vendor | PHP Group |
Security Bulletin
This security bulletin contains information about 14 vulnerabilities.
1) Out-of-bounds read
EUVDB-ID: #VU7345
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9224
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists in the mbstring due to stack out-of-bounds read in match_at() during regular expression searching. A remote attacker can trigger a logical error involving order of validation and access in match_at() and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Heap-out-of-bounds write
EUVDB-ID: #VU7346
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9226
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists in the mbstring due to heap out-of-bounds write or read occurs in next_state_val() during regular expression compilation. A remote attacker can supply a malformed regular expression containing an octal number in the form of '\700', trigger
out-of-bounds write memory corruption and execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Out-of-bounds read
EUVDB-ID: #VU7347
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9227
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists in the mbstring due to an error in handling of reg->dmin in forward_search_range(). A remote attacker can trigger stack out-of-bounds read in mbc_enc_len() during regular expression searching and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Heap-out-of-bounds write
EUVDB-ID: #VU7348
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9228
CWE-ID:
CWE-787 - Out-of-bounds write
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists in the mbstring due to heap out-of-bounds write in bitset_set_range() during regular expression compilation due to incorrect state transition in parse_char_class(). A remote attacker can trigger out-of-bounds write memory corruption and execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Null pointer dereference
EUVDB-ID: #VU7349
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-9229
CWE-ID:
CWE-476 - NULL Pointer Dereference
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists in the mbstring due to an error in handling of reg->dmin in forward_search_range(). A remote attacker can trigger SIGSEGV in left_adjust_char_head() during regular expression compilation, cause NULL pointer dereference and the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Heap-based buffer overflow
EUVDB-ID: #VU7359
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to heap-based buffer overflow in substr'swhen handling malicious input. A remote attacker can send specially crafted parameter to trigger memory corruption and execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=73648
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Improper access control
EUVDB-ID: #VU7358
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to improper access control. A remote attacker can use negative offset parameter and a big string haystack to gain illegal memory access in zend_memnstr_ex function and read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=73634
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Double free
EUVDB-ID: #VU7357
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-415 - Double Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to double free. A remote attacker can create a node list using the DOMXPath query() or evaluate() functions, remove the nodes from the document by writing to nodeValue of an ancestor, trigger "double free or corruption" and execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=69373
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Stack-based buffer overflow
EUVDB-ID: #VU7356
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11628
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition or potentially execute arbitrary code.
The weakness exists due to stack buffer overflow in PHP INI parsing API 2 when handling malicious input. A remote attacker can send specially crafted data, trigger stack buffer overflow in zend_ini_do_op() that may lead to out-of-bounds write, cause the application to crash or execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=74603
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
10) Out-of-bounds read
EUVDB-ID: #VU7355
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists due to out-of-bounds read in GIF decoding function gdImageCreateFromGifCtx in gd_gif_in.cwddx_deserialize(). A remote attacker can use a specially crafted GIF image with the smallest global color table of size 2 and read arbitrary files one system.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=74435
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
11) Heap out-of-bounds read
EUVDB-ID: #VU7353
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exist due to heap out-of-bounds read in timelib_meridian() while deserializing an invalid dateTime value, wddx_deserialize(). A remote attacker can read arbitrary files from the process memory.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=74819
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
12) Stack-based buffer overflow
EUVDB-ID: #VU7352
Risk: High
CVSSv3.1: 8.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2017-11362
CWE-ID:
CWE-121 - Stack-based buffer overflow
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code.
The weakness exists due to stack buffer overflow in line 142 when parsing locale in msgfmt_parse_message(). A remote attacker can trigger an error when passing overtly long slocale into libicu's umsg_open() that may lead to out-of-bounds write and execute arbitrary code with web server privileges.
Successful exploitation of the vulnerability may result in system compromise.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=73473
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
13) Out-of-bounds read
EUVDB-ID: #VU7351
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-125 - Out-of-bounds read
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to obtain potentially sensitive information.
The weakness exists in Core PHP due to heap out-of bounds-read in finish_nested_data (). A remote attacker can read arbitrary files on the system.
Successful exploitation of the vulnerability results in information disclosure.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=74111
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
14) Heap use-after-free
EUVDB-ID: #VU7350
Risk: Low
CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE-ID: N/A
CWE-ID:
CWE-416 - Use After Free
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to cause DoS condition.
The weakness exists in Core PHP due to heap use-after-free error in unserealize within zval_get_type (). A remote attacker can trigger memory corruption and cause the application to crash.
Successful exploitation of the vulnerability results in denial of service.
Update to version 7.0.21.
PHP: 7.0.0 - 7.0.20
External linkshttp://php.net/ChangeLog-7.php#7.0.21
http://bugs.php.net/bug.php?id=74101
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
