Resource exhaustion in php7 (Alpine package)

1) Resource exhaustion

EUVDB-ID: #VU10880

Risk: Low

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-9253

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the php-fpm master process due to improper processing of crafted PHP scripts. A remote attacker can send a specially crafted PHP script, trigger the php-fpm master process to restart a child process and cause the php-fpm master process the php-fpm master process to consume all available CPU resources and excessive amounts of disk space that results in denial of service.

Mitigation

Install update from vendor's website.

Vulnerable software versions

php7 (Alpine package): 7.0.7-r0 - 7.2.7-r0

External links

http://git.alpinelinux.org/aports/commit/?id=583c0d55e9e7208425dd53eb1739a7010b6b0dbc
http://git.alpinelinux.org/aports/commit/?id=7c1daf27a04307093cef0fcb3f1c5ab4bb68eee1
http://git.alpinelinux.org/aports/commit/?id=797bba4604043977849b0c0cf0b2ef7b21b1ea8c
http://git.alpinelinux.org/aports/commit/?id=38460e57f1f299ba2454aa7869c699f1ab333ca1
http://git.alpinelinux.org/aports/commit/?id=e926d392a07679544bce3f4b6c80437ce08b92b5
http://git.alpinelinux.org/aports/commit/?id=736eba37f03f8a66f0c893cd64eb88e4bf229119

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.