Lucene search

Kaspersky LabKLA10944

HistoryJan 11, 2017 - 12:00 a.m.

KLA10944 Denial of service and arbitrary code execution vulnerabilities in PHP

2017-01-1100:00:00

Kaspersky Lab

threats.kaspersky.com

7.5 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.9 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

75.9%

JSON

An improper implementation of the SplObjectStorage unserialize in ext/spl/spl_observer.c was found in PHP before 7.0.12. By exploiting this vulnerability malicious users can execute arbitrary code or cause a denial of service. This vulnerability can be exploited remotely via a specially designed serialized data.

Technical details

Vulnerability occurs because an implementation does not verify whether a key is an object or not.

Original advisories

PHP Bug Tracking System

Related products

PHP

CVE list

CVE-2016-7480 critical

Solution

Update to the latest version

Download PHP

Impacts

Arbitrary code execution. Exploitation of vulnerabilities with this impact can lead to executing by abuser any code or commands at vulnerable machine or process.

Denial of service. Exploitation of vulnerabilities with this impact can lead to loss of system availability or critical functional fault.

Security bypass. Exploitation of vulnerabilities with this impact can lead to performing actions restricted by current security settings.