Cloud Foundry Logo
blog single gear
Blog
Security Advisory

Multiple PHP vulnerabilities

by: March 17, 2017

Multiple PHP vulnerabilities

Severity

Medium

Vendor

PHP

Versions Affected

  • Cloud Foundry PHP buildpack versions prior to 4.3.29
  • Note: The PHP buildpack is patched from upstream PHP source

Description

It was discovered that PHP incorrectly handled certain arguments to the locale_get_display_name function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-9912)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to hang, resulting in a denial of service. (CVE-2016-7478)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2016-9137)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-9934)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9935)

It was discovered that PHP incorrectly handled certain EXIF data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash or consume resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-10160)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10161)

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • PHP Buildpack prior to version 4.3.29

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade the PHP Buildpack to v4.3.29 or later and restage all applications that use automated buildpack detection.

References

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

USN-6793-1: Git vulnerabilities
Security Advisory

USN-6793-1: Git vulnerabilities

by Cloud Foundry Foundation Security Team July 25, 2024
USN-5352-1: Libtasn1 vulnerability
Security Advisory

USN-5352-1: Libtasn1 vulnerability

by Cloud Foundry Foundation Security Team May 23, 2022
USN-3736-1: libarchive vulnerabilities
Security Advisory

USN-3736-1: libarchive vulnerabilities

by Cloud Foundry Foundation Security Team September 11, 2018
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept