Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
amazonAmazonALAS-2014-377
HistoryJul 23, 2014 - 1:39 p.m.

Important: php-ZendFramework

2014-07-2313:39:00
alas.aws.amazon.com
12

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.016 Low

EPSS

Percentile

87.0%

JSON

Issue Overview:

The GenericConsumer class in the Consumer component in ZendOpenId before 2.0.2 and the Zend_OpenId_Consumer class in Zend Framework 1 before 1.12.4 violate the OpenID 2.0 protocol by ensuring only that at least one field is signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

XML eXternal Entity (XXE) and XML Entity Expansion (XEE) flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity (XXE) attacks.

Using the Consumer component of ZendOpenId (or Zend_OpenId in ZF1), it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework.

Moreover, the Consumer accepts OpenID tokens with arbitrary signed elements. The framework does not check if, for example, both openid.claimed_id and openid.endpoint_url are signed. It is just sufficient to sign one parameter. According to https://openid.net/specs/openid-authentication-2_0.html#positive_assertions, at least op_endpoint, return_to, response_nonce, assoc_handle, and, if present in the response, claimed_id and identity, must be signed.

Affected Packages:

php-ZendFramework

Issue Correction:
Run yum update php-ZendFramework to update your system.

New Packages:

noarch:  
    php-ZendFramework-Pdf-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Search-Lucene-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Serializer-Adapter-Igbinary-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Cache-Backend-Libmemcached-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Services-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Captcha-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Db-Adapter-Pdo-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-extras-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Ldap-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-full-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Auth-Adapter-Ldap-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Cache-Backend-Memcached-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Soap-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Feed-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Db-Adapter-Pdo-Mysql-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Dojo-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Cache-Backend-Apc-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-demos-1.12.5-1.8.amzn1.noarch  
    php-ZendFramework-Db-Adapter-Mysqli-1.12.5-1.8.amzn1.noarch  
  
src:  
    php-ZendFramework-1.12.5-1.8.amzn1.src

Additional References

Red Hat: CVE-2014-2681, CVE-2014-2682, CVE-2014-2683, CVE-2014-2684, CVE-2014-2685

Mitre: CVE-2014-2681, CVE-2014-2682, CVE-2014-2683, CVE-2014-2684, CVE-2014-2685

OSVersionArchitecturePackageVersionFilename
Amazon Linux1noarchphp-zendframework-pdf< 1.12.5-1.8.amzn1php-ZendFramework-Pdf-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework-search-lucene< 1.12.5-1.8.amzn1php-ZendFramework-Search-Lucene-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework-serializer-adapter-igbinary< 1.12.5-1.8.amzn1php-ZendFramework-Serializer-Adapter-Igbinary-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework-db-adapter-pdo-pgsql< 1.12.5-1.8.amzn1php-ZendFramework-Db-Adapter-Pdo-Pgsql-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework-cache-backend-libmemcached< 1.12.5-1.8.amzn1php-ZendFramework-Cache-Backend-Libmemcached-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework< 1.12.5-1.8.amzn1php-ZendFramework-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework-db-adapter-pdo-mssql< 1.12.5-1.8.amzn1php-ZendFramework-Db-Adapter-Pdo-Mssql-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework-services< 1.12.5-1.8.amzn1php-ZendFramework-Services-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework-captcha< 1.12.5-1.8.amzn1php-ZendFramework-Captcha-1.12.5-1.8.amzn1.noarch.rpm
Amazon Linux1noarchphp-zendframework-db-adapter-pdo< 1.12.5-1.8.amzn1php-ZendFramework-Db-Adapter-Pdo-1.12.5-1.8.amzn1.noarch.rpm
Rows per page:
1-10 of 221

Related

nessus 10
mageia 1
openvas 17
fedora 8
securityvulns 5
osv 7
debian 4
veracode 4
cve 5
prion 5
ubuntucve 5
github 3
nessus
nessus
Fedora 20 : php-ZendFramework2-2.2.6-1.fc20 (2014-4612)
2014-04-15 00:00:00
Fedora 19 : php-ZendFramework-1.12.5-1.fc19 (2014-4603)
2014-04-15 00:00:00
Amazon Linux AMI : php-ZendFramework (ALAS-2014-377)
2014-10-12 00:00:00
mageia
mageia
Updated php-ZendFramework packages fix multiple vulnerabilities
2014-04-03 04:43:46
openvas
openvas
Amazon Linux: Security Advisory (ALAS-2014-377)
2015-09-08 00:00:00
Fedora Update for php-ZendFramework FEDORA-2014-4603
2014-04-15 00:00:00
Fedora Update for php-ZendFramework2 FEDORA-2014-4636
2014-04-15 00:00:00
fedora
fedora
[SECURITY] Fedora 20 Update: php-ZendFramework-1.12.5-1.fc20
2014-04-14 22:36:10
[SECURITY] Fedora 20 Update: php-ZendFramework2-2.2.7-1.fc20
2014-05-28 23:52:16
[SECURITY] Fedora 20 Update: php-ZendFramework2-2.2.6-1.fc20
2014-04-14 22:45:44
securityvulns
securityvulns
[ MDVSA-2014:072 ] php-ZendFramework
2014-05-05 00:00:00
[ MDVSA-2015:097 ] php-ZendFramework
2015-05-12 00:00:00
[SECURITY] [DSA 3265-1] zendframework security update
2015-06-08 00:00:00
osv
osv
zendframework - security update
2015-05-20 00:00:00
zendframework - regression update
2015-05-20 00:00:00
zendframework - security update
2015-06-23 00:00:00
debian
debian
[SECURITY] [DSA 3265-2] zendframework regression update
2015-05-24 11:55:24
[SECURITY] [DSA 3265-1] zendframework security update
2015-05-20 09:37:25
[SECURITY] [DLA 251-1] zendframework security update
2015-06-20 18:40:57
veracode
veracode
Xml Entity Expansion (XEE)
2017-07-30 03:57:23
Authentication Bypass
2017-07-30 23:11:29
Bypassing Authentication And Spoofing Arbitrary OpenID Identities
2017-07-29 12:01:20
cve
cve
CVE-2014-2685
2014-09-04 17:55:00
CVE-2014-2684
2014-11-16 00:59:00
CVE-2014-2682
2014-11-16 00:59:00
prion
prion
Authentication flaw
2014-09-04 17:55:00
Authentication flaw
2014-11-16 00:59:00
Xxe
2014-11-16 00:59:00
ubuntucve
ubuntucve
CVE-2014-2685
2014-09-04 00:00:00
CVE-2014-2684
2014-11-16 00:00:00
CVE-2014-2682
2014-11-16 00:00:00
github
github
Several Zend Products Vulnerable to XXE and XEE attacks
2022-05-14 00:56:24
Several Zend Products Vulnerable to XXE and XEE attacks
2022-05-14 00:56:24
Several Zend Products Vulnerable to XXE and XEE attacks
2022-05-14 00:56:24

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.016 Low

EPSS

Percentile

87.0%

JSON
Related for ALAS-2014-377
nessus10mageia1openvas17fedora8securityvulns5osv7debian4veracode4cve5prion5ubuntucve5github3