Multiple Vulnerabilities in PHP Could Allow for Denial of Service

ITS Advisory Number: 
2020-068
Date(s) Issued: 
Monday, May 18, 2020
Subject: 
Multiple Vulnerabilities in PHP Could Allow for Denial of Service
Overview: 

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for a denial-of-service condition. PHP is a programming language originally designed for use in web-based applications with HTML content. PHP supports a wide variety of platforms and is used by numerous web-based software applications. Successfully exploiting the most severe of these vulnerabilities could allow could allow an attacker to crash the PHP process. This could allow for a denial-of-service condition once the process stops running.

 

THREAT INTELLIGENCE:

There are currently no reports of these vulnerabilities being exploited in the wild.

Systems Affected: 

PHP 7.2 Prior to Version 7.2.3

PHP 7.2.4 Prior to Version 7.3.17

PHP 7.3.2 Prior to Version 7.4.5

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in PHP, the most severe of which could allow for a denial-of-service condition. Details of these vulnerabilities are as below:

 

Version 7.2.30:

  • Bug (SIGSEGV when closing stream handle with a stream filter appended).
  • Bug (shell_exec() silently truncates after a null byte).
  • Bug (OOB Read in urldecode()).

 

Version 7.3.17:

  • Bug (When copy empty array, next key is unspecified).
  • Bug (Invalid pointer address).
  • Bug (curl_copy_handle() memory leak).
  • Bug (DateTime hour incorrect during DST jump forward).
  • Bug (Some iconv functions cut Windows-1258).
  • Bug (Opcache chokes and uses 100% CPU on specific script).
  • Bug (session_create_id() fails for active sessions).
  • Bug (Integer Overflow in shmop_open()).
  • Bug (SXE properties may lack attributes and content).
  • Bug (SplStack::unserialize() behavior).
  • Bug (Null coalescing operator failing with SplFixedArray).
  • Bug (shell_exec() silently truncates after a null byte).
  • Bug (OOB Read in urldecode()). (CVE-2020-7067)
  • Bug (system() swallows last chunk if it is exactly 4095 bytes without newline).
  • Bug (ZipArchive::open fails on empty file).
  • Bug (php_zip_glob uses gl_pathc after call to globfree).

 

Version 7.3.18:

  • Bug (Long filenames cause OOM and temp files are not cleaned). (CVE-2019-11048)
  • Bug (Long variables in multipart/form-data cause OOM and temp files are not cleaned). (CVE-2019-11048)
  • Bug (PHP 7.3 and PHP-7.4 crash with NULL-pointer dereference on !CS constant).
  • Bug (casting object into array creates references).
  • Bug (PHP incompatible with 3rd party file system on demand).
  • Bug (Unable to interact with files inside a VFS for Git repository).
  • Bug (DOMNode::normalize() doesn't remove empty text nodes).
  • Bug (Search for .user.ini extends up to root dir).
  • Bug (Segfault in mb_chr() if internal encoding is unsupported).
  • Bug (stream_socket_client() throws an unknown error sometimes with <1s timeout).
  • Bug (Memory leak on duplicate metadata).
  • Bug (Different object of the same xml between 7.4.5 and 7.4.4).
  • Bug (SIGSEGV when closing stream handle with a stream filter appended).

 

Version 7.4.5:

  • Bug (When copy empty array, next key is unspecified).
  • Bug (Invalid pointer address)
  • Bug (curl_copy_handle() memory leak).
  • bug (DateTime hour incorrect during DST jump forward).
  • bug (DateTimeZone loose comparison always true).
  • Bug (Some iconv functions cut Windows-1258).
  • Bug (Opcache chokes and uses 100% CPU on specific script).
  • Bug (session_create_id() fails for active sessions).
  • Bug (Integer Overflow in shmop_open()).
  • Bug (SXE properties may lack attributes and content).
  • Bug (SOAP request segfaults when any request parameter is missing).
  • Bug (SplStack::unserialize() behavior).
  • Bug (Null coalescing operator failing with SplFixedArray).
  • Bug (shell_exec() silently truncates after a null byte).
  • Bug (system() swallows last chunk if it is exactly 4095 bytes without newline).
  • Bug (OOB Read in urldecode()). (CVE-2020-7067)
  • Bug (ZipArchive::open fails on empty file).
  • Bug (php_zip_glob uses gl_pathc after call to globfree).

 

Successfully exploiting the most severe of these vulnerabilities could allow could allow an attacker to crash the PHP process. This could allow for a denial-of-service condition once the process stops running.

Actions: 
  • After appropriate testing, immediately apply upgrade to the latest version of PHP. 
  • Verify no unauthorized system modifications have occurred on system before applying patch.
  • Apply the principle of Least Privilege to all systems and services.
  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.