#VU10800 Stack-based buffer overflow in PHP


Published: 2018-03-01 | Updated: 2018-03-12

Vulnerability identifier: #VU10800

Vulnerability risk: Low

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-7584

CWE-ID: CWE-121

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to stack-based buffer overflow when handling malicious input. A remote attacker can send specially crafted HTTP response packets, trigger memory corruption and cause the application to crash.

Mitigation
Update to version 5.6.34, 7.0.28, 7.1.15.

Vulnerable software versions

PHP: 7.0.27, 7.1.14, 5.6.33

External links
http://php.net/ChangeLog-5.php
http://php.net/ChangeLog-7.php

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Red Hat Enterprise Linux 7 update for php
Debian update for php7.0
Amazon Linux AMI update for php70, php56
Amazon Linux AMI update for php71
SUSE Linux update for php53
Ubuntu update for PHP
Slackware Linux update for php
Stack-based buffer overflow in php5 (Alpine package)
Stack-based buffer overflow in php7 (Alpine package)
Multiple vulnerabilities in PHP