Upgrading PHP 5.6.2, 5.5.18 and 5.4.34 with the elimination of vulnerabilities

Posted: October 17, 2014 in IT Security News
Tags:
0

php logoThe PHP developers have eliminated four vulnerabilities in their products

The update fixed a vulnerability that could lead to an integer overflow.

PHP developers have released a patches 5.6.2, 5.5.18 and 5.4.34 for your scripting language that eliminates four vulnerabilities, including CVE-2014-1668, CVE-2014-3669 and CVE-2014-3670.

All holes were discovered in September of this year. The most dangerous of the patched vulnerabilities is CVE-2014-3669.  It can cause an integer overflow when parsing specially designed serialize data using the unserialize () function.

This vulnerability affected only 32-bit systems, but the danger of breaches caused by the fact that the serialized data often come from user-controlled channels.

In addition, in the updates has been corrected errors, what allows to substitute the null character in the CURL, to cause damage to the pile during the processing of the modified data in exif_thumbnail (),  and a buffer overflow the mkgmtime () function of the XMLRPC module.

Multiple vulnerabilities in PHP

Danger level: High
Availability Corrections: Yes
Quantity of vulnerabilities: 3

CVSSv2 Rating: (AV: L / AC: M / Au: N / C: N / I: N / A: C / E: U / RL: W / RC: C) = Base: 4.7 / Temporal: 3.8
(AV: L / AC: L / Au: N / C: C / I: C / A: C / E: U / RL: W / RC: C) = Base: 7.2 / Temporal: 5.8
(AV: L / AC: L / Au: N / C: N / I: N / A: C / E: U / RL: W / RC: C) = Base: 4.9 / Temporal: 4

CVE ID:
CVE-2014-3668
CVE-2014-3669
CVE-2014-3670

Vector of operation: Remote
Impact: Denial of service, Disclosure of sensitive data, system compromise

Affected products: PHP 5.4.x
Affected versions: PHP versions prior to 5.6.2, PHP versions prior to 5.5.18, PHP versions prior to 5.4.34

Description:
The vulnerability allows a remote user to cause a denial of service or compromise a vulnerable system.

1. An unknown errors in the “mkgmtime ()”. A remote user can cause denial of service.

2. An unknown errors in the “unserialize ()”. This can be exploited to compromise a target system.

3. An unknown errorsin the “exif_thumbnail ()”. A remote user can cause denial of service.

Solution: Install the latest version 5.5.18, 5.6.2 or 5.4.34 with the manufacturer’s website.

Link: http://php.net/ChangeLog-5.php#5.4.34

php logoManufacturer URL: https://php.net/

Leave a comment