Ubuntu update for PHP

Published: 2020-02-17

Risk	High
Patch available	YES
Number of vulnerabilities	3
CVE-ID	CVE-2020-7060 CVE-2020-7059 CVE-2015-9253
CWE-ID	CWE-125 CWE-400
Exploitation vector	Network
Public exploit	Public exploit code for vulnerability #3 is available.
Vulnerable software Subscribe	php7.3 (Ubuntu package) Operating systems & Components / Operating system package or component php7.2 (Ubuntu package) Operating systems & Components / Operating system package or component
Vendor	Canonical Ltd.

Security Bulletin

This security bulletin contains information about 3 vulnerabilities.

1) Out-of-bounds read

EUVDB-ID: #VU25110

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7060

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when using certain "mbstring" functions to convert multibyte encodings. A remote attacker can supply data that will cause function "mbfl_filt_conv_big5_wchar" to read past the allocated buffer, trigger out-of-bounds read error and read contents of memory on the system or crash the application.

Mitigation

Update the affected packages.

Ubuntu 19.10: libapache2-mod-php7.3 - 7.3.11-0ubuntu0.19.10.3; php7.3-cgi - 7.3.11-0ubuntu0.19.10.3; php7.3-cli - 7.3.11-0ubuntu0.19.10.3; php7.3-fpm - 7.3.11-0ubuntu0.19.10.3
Ubuntu 18.04 LTS: libapache2-mod-php7.2 - 7.2.24-0ubuntu0.18.04.3; php7.2-cgi - 7.2.24-0ubuntu0.18.04.3; php7.2-cli - 7.2.24-0ubuntu0.18.04.3; php7.2-fpm - 7.2.24-0ubuntu0.18.04.3
Ubuntu 16.04 LTS: libapache2-mod-php7.0 - 7.0.33-0ubuntu0.16.04.11; php7.0-cgi - 7.0.33-0ubuntu0.16.04.11; php7.0-cli - 7.0.33-0ubuntu0.16.04.11; php7.0-fpm - 7.0.33-0ubuntu0.16.04.11
Ubuntu 14.04 ESM: libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-cgi - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-cli - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-fpm - 5.5.9+dfsg-1ubuntu4.29+esm10
Ubuntu 12.04 ESM: libapache2-mod-php5 - 5.3.10-1ubuntu3.44; php5-cgi - 5.3.10-1ubuntu3.44; php5-cli - 5.3.10-1ubuntu3.44; php5-fpm - 5.3.10-1ubuntu3.44

Vulnerable software versions

php7.3 (Ubuntu package): 7.3.11-0ubuntu0.19.10.1 - 7.3.11-0ubuntu0.19.10.2

php7.2 (Ubuntu package): 7.2.24-0ubuntu0.18.04.1 - 7.2.24-0ubuntu0.18.04.2

External links

http://usn.ubuntu.com/4279-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Out-of-bounds read

EUVDB-ID: #VU25109

Risk: High

CVSSv3.1: 7.1 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2020-7059

CWE-ID: CWE-125 - Out-of-bounds read

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information or perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary condition when using the "fgetss()" function to read data with stripping tags. A remote attacker can supply data that will cause this function to read past the allocated buffer, trigger out-of-bounds read error and read contents of memory on the system or crash the application.

Mitigation

Update the affected packages.

Ubuntu 19.10: libapache2-mod-php7.3 - 7.3.11-0ubuntu0.19.10.3; php7.3-cgi - 7.3.11-0ubuntu0.19.10.3; php7.3-cli - 7.3.11-0ubuntu0.19.10.3; php7.3-fpm - 7.3.11-0ubuntu0.19.10.3
Ubuntu 18.04 LTS: libapache2-mod-php7.2 - 7.2.24-0ubuntu0.18.04.3; php7.2-cgi - 7.2.24-0ubuntu0.18.04.3; php7.2-cli - 7.2.24-0ubuntu0.18.04.3; php7.2-fpm - 7.2.24-0ubuntu0.18.04.3
Ubuntu 16.04 LTS: libapache2-mod-php7.0 - 7.0.33-0ubuntu0.16.04.11; php7.0-cgi - 7.0.33-0ubuntu0.16.04.11; php7.0-cli - 7.0.33-0ubuntu0.16.04.11; php7.0-fpm - 7.0.33-0ubuntu0.16.04.11
Ubuntu 14.04 ESM: libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-cgi - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-cli - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-fpm - 5.5.9+dfsg-1ubuntu4.29+esm10
Ubuntu 12.04 ESM: libapache2-mod-php5 - 5.3.10-1ubuntu3.44; php5-cgi - 5.3.10-1ubuntu3.44; php5-cli - 5.3.10-1ubuntu3.44; php5-fpm - 5.3.10-1ubuntu3.44

Vulnerable software versions

php7.3 (Ubuntu package): 7.3.11-0ubuntu0.19.10.1 - 7.3.11-0ubuntu0.19.10.2

php7.2 (Ubuntu package): 7.2.24-0ubuntu0.18.04.1 - 7.2.24-0ubuntu0.18.04.2

External links

http://usn.ubuntu.com/4279-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

3) Resource exhaustion

EUVDB-ID: #VU10880

Risk: Low

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2015-9253

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists in the php-fpm master process due to improper processing of crafted PHP scripts. A remote attacker can send a specially crafted PHP script, trigger the php-fpm master process to restart a child process and cause the php-fpm master process the php-fpm master process to consume all available CPU resources and excessive amounts of disk space that results in denial of service.

Mitigation

Update the affected packages.

Ubuntu 19.10: libapache2-mod-php7.3 - 7.3.11-0ubuntu0.19.10.3; php7.3-cgi - 7.3.11-0ubuntu0.19.10.3; php7.3-cli - 7.3.11-0ubuntu0.19.10.3; php7.3-fpm - 7.3.11-0ubuntu0.19.10.3
Ubuntu 18.04 LTS: libapache2-mod-php7.2 - 7.2.24-0ubuntu0.18.04.3; php7.2-cgi - 7.2.24-0ubuntu0.18.04.3; php7.2-cli - 7.2.24-0ubuntu0.18.04.3; php7.2-fpm - 7.2.24-0ubuntu0.18.04.3
Ubuntu 16.04 LTS: libapache2-mod-php7.0 - 7.0.33-0ubuntu0.16.04.11; php7.0-cgi - 7.0.33-0ubuntu0.16.04.11; php7.0-cli - 7.0.33-0ubuntu0.16.04.11; php7.0-fpm - 7.0.33-0ubuntu0.16.04.11
Ubuntu 14.04 ESM: libapache2-mod-php5 - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-cgi - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-cli - 5.5.9+dfsg-1ubuntu4.29+esm10; php5-fpm - 5.5.9+dfsg-1ubuntu4.29+esm10
Ubuntu 12.04 ESM: libapache2-mod-php5 - 5.3.10-1ubuntu3.44; php5-cgi - 5.3.10-1ubuntu3.44; php5-cli - 5.3.10-1ubuntu3.44; php5-fpm - 5.3.10-1ubuntu3.44

Vulnerable software versions

php7.3 (Ubuntu package): 7.3.11-0ubuntu0.19.10.1 - 7.3.11-0ubuntu0.19.10.2

php7.2 (Ubuntu package): 7.2.24-0ubuntu0.18.04.1 - 7.2.24-0ubuntu0.18.04.2

External links

http://usn.ubuntu.com/4279-1/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.