Cloud Foundry Logo
blog single gear
Blog
Security Advisory

Multiple PHP vulnerabilities

by: March 17, 2017

Multiple PHP vulnerabilities

Severity

Medium

Vendor

PHP

Versions Affected

  • Cloud Foundry PHP buildpack versions prior to 4.3.29
  • Note: The PHP buildpack is patched from upstream PHP source

Description

It was discovered that PHP incorrectly handled certain arguments to the locale_get_display_name function. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-9912)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to hang, resulting in a denial of service. (CVE-2016-7478)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-7479)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. This issue only applied to Ubuntu 14.04 LTS. (CVE-2016-9137)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-9934)

It was discovered that PHP incorrectly handled unserializing certain wddxPacket XML documents. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-9935)

It was discovered that PHP incorrectly handled certain EXIF data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10158)

It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash or consume resources, resulting in a denial of service. (CVE-2016-10159)

It was discovered that PHP incorrectly handled certain PHAR archives. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2016-10160)

It was discovered that PHP incorrectly handled certain invalid objects when unserializing data. A remote attacker could use this issue to cause PHP to crash, resulting in a denial of service. (CVE-2016-10161)

Affected Cloud Foundry Products and Versions

Severity is medium unless otherwise noted.

  • PHP Buildpack prior to version 4.3.29

Mitigation

OSS users are strongly encouraged to follow one of the mitigations below:

  • Upgrade the PHP Buildpack to v4.3.29 or later and restage all applications that use automated buildpack detection.

References

 

Cloud Foundry Foundation Security Team Profile Image

Cloud Foundry Foundation Security Team, AUTHOR

SEE ALL ARTICLES

You Might Also Like

CVE-2017-4960: UAA OAuth DOS via lockout feature
Security Advisory

CVE-2017-4960: UAA OAuth DOS via lockout feature

by Cloud Foundry Foundation Security Team March 8, 2017
USN-3212-2: LibTIFF regression
Security Advisory

USN-3212-2: LibTIFF regression

by Cloud Foundry Foundation Security Team June 22, 2017
Meltdown and Spectre Attacks
Security Advisory

Meltdown and Spectre Attacks

by Cloud Foundry Foundation Security Team January 24, 2018
This website uses cookies to offer you a better browsing experience. Find out more about how we use cookies and how you can change your settings. Accept