Ubuntu update for PHP

Published: 2018-09-18 | Updated: 2018-12-29

Risk	Low
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2015-9253 CVE-2018-14851 CVE-2018-14883
CWE-ID	CWE-400 CWE-122 CWE-190
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #1 is available.
Vulnerable software Subscribe	php7.2 (Ubuntu package) Operating systems & Components / Operating system package or component php7.0 (Ubuntu package) Operating systems & Components / Operating system package or component php5 (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Resource exhaustion

EUVDB-ID: #VU10880

Risk: Low

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-9253

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the php-fpm master process due to improper processing of crafted PHP scripts. A remote attacker can send a specially crafted PHP script, trigger the php-fpm master process to restart a child process and cause the php-fpm master process the php-fpm master process to consume all available CPU resources and excessive amounts of disk space that results in denial of service.

Mitigation

Update the affected packages.

Ubuntu 18.04 LTS: libapache2-mod-php7.2 - 7.2.10-0ubuntu0.18.04.1; php7.2-cgi - 7.2.10-0ubuntu0.18.04.1; php7.2-cli - 7.2.10-0ubuntu0.18.04.1; php7.2-fpm - 7.2.10-0ubuntu0.18.04.1
Ubuntu 16.04 LTS: libapache2-mod-php7.0 - 7.0.32-0ubuntu0.16.04.1; php7.0-cgi - 7.0.32-0ubuntu0.16.04.1; php7.0-cli - 7.0.32-0ubuntu0.16.04.1; php7.0-fpm - 7.0.32-0ubuntu0.16.04.1
Ubuntu 14.04 LTS: libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.26; php5-cgi - 5.5.9+dfsg-1ubuntu4.26; php5-cli - 5.5.9+dfsg-1ubuntu4.26; php5-fpm - 5.5.9+dfsg-1ubuntu4.26

Vulnerable software versions

php7.2 (Ubuntu package): 7.2.0-1 - 7.2.11-3

php7.0 (Ubuntu package): 7.0.0-1 - 7.0.30-0ubuntu0.16.04.1

php5 (Ubuntu package): 5.5.0+dfsg-1 - 5.5.9+dfsg-1ubuntu4.25

External links

http://usn.ubuntu.com/3766-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Heap-based buffer overflow

EUVDB-ID: #VU13916

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14851

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to heap-based buffer overflow (READ of size 48) while reading exif data. A remote attacker can trigger memory corruption and cause the service to crash.

Mitigation

Update the affected packages.

Ubuntu 18.04 LTS: libapache2-mod-php7.2 - 7.2.10-0ubuntu0.18.04.1; php7.2-cgi - 7.2.10-0ubuntu0.18.04.1; php7.2-cli - 7.2.10-0ubuntu0.18.04.1; php7.2-fpm - 7.2.10-0ubuntu0.18.04.1
Ubuntu 16.04 LTS: libapache2-mod-php7.0 - 7.0.32-0ubuntu0.16.04.1; php7.0-cgi - 7.0.32-0ubuntu0.16.04.1; php7.0-cli - 7.0.32-0ubuntu0.16.04.1; php7.0-fpm - 7.0.32-0ubuntu0.16.04.1
Ubuntu 14.04 LTS: libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.26; php5-cgi - 5.5.9+dfsg-1ubuntu4.26; php5-cli - 5.5.9+dfsg-1ubuntu4.26; php5-fpm - 5.5.9+dfsg-1ubuntu4.26

Vulnerable software versions

php7.2 (Ubuntu package): 7.2.0-1 - 7.2.11-3

php7.0 (Ubuntu package): 7.0.0-1 - 7.0.30-0ubuntu0.16.04.1

php5 (Ubuntu package): 5.5.0+dfsg-1 - 5.5.9+dfsg-1ubuntu4.26

External links

http://usn.ubuntu.com/3766-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Memory corruption

EUVDB-ID: #VU13915

Risk: Low

CVSSv3.1: 4.6 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-14883

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to integer overflow when processing exif_read_data in any 32-bit system. A remote attacker can trigger heap-based buffer overflow in exif_thumbnail_extract of exif.c and cause the service to crash.

Mitigation

Update the affected packages.

Ubuntu 18.04 LTS: libapache2-mod-php7.2 - 7.2.10-0ubuntu0.18.04.1; php7.2-cgi - 7.2.10-0ubuntu0.18.04.1; php7.2-cli - 7.2.10-0ubuntu0.18.04.1; php7.2-fpm - 7.2.10-0ubuntu0.18.04.1
Ubuntu 16.04 LTS: libapache2-mod-php7.0 - 7.0.32-0ubuntu0.16.04.1; php7.0-cgi - 7.0.32-0ubuntu0.16.04.1; php7.0-cli - 7.0.32-0ubuntu0.16.04.1; php7.0-fpm - 7.0.32-0ubuntu0.16.04.1
Ubuntu 14.04 LTS: libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.26; php5-cgi - 5.5.9+dfsg-1ubuntu4.26; php5-cli - 5.5.9+dfsg-1ubuntu4.26; php5-fpm - 5.5.9+dfsg-1ubuntu4.26

Vulnerable software versions

php5 (Ubuntu package): 5.5.0+dfsg-1 - 5.5.9+dfsg-1ubuntu4.25

php7.2 (Ubuntu package): before 7.2.10-0ubuntu0.18.04.1

php7.0 (Ubuntu package): before 7.0.32-0ubuntu0.16.04.1

External links

http://usn.ubuntu.com/3766-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.