Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.ALA_ALAS-2017-788.NASL
HistoryJan 27, 2017 - 12:00 a.m.

Amazon Linux AMI : php70 (ALAS-2017-788)

2017-01-2700:00:00
This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
www.tenable.com
124
JSON

The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data. (CVE-2016-7480)

Use-after-free vulnerability in the CURLFile implementation in ext/curl/curl_file.c in PHP 7.x before 7.0.12 allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data that is mishandled during __wakeup processing. (CVE-2016-9137)

Stack consumption vulnerability in the gdImageFillToBorder function in gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in PHP 7.x before 7.0.13, allows remote attackers to cause a denial of service (segmentation violation) via a crafted imagefilltoborder call that triggers use of a negative color value. (CVE-2016-9933)

ext/wddx/wddx.c in PHP 7.x before 7.0.13 allows remote attackers to cause a denial of service (NULL pointer dereference) via crafted serialized data in a wddxPacket XML document, as demonstrated by a PDORow string. (CVE-2016-9934)

The php_wddx_push_element function in ext/wddx/wddx.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (out-of-bounds read and memory corruption) or possibly have unspecified other impact via an empty boolean element in a wddxPacket XML document. (CVE-2016-9935)

The unserialize implementation in ext/standard/var.c in PHP 7.x before 7.0.14 allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted serialized data. This vulnerability exists because of an incomplete fix for CVE-2015-6834 . (CVE-2016-9936)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2017-788.
#

include("compat.inc");

if (description)
{
  script_id(96806);
  script_version("3.2");
  script_cvs_date("Date: 2018/04/18 15:09:36");

  script_cve_id("CVE-2016-7480", "CVE-2016-9137", "CVE-2016-9933", "CVE-2016-9934", "CVE-2016-9935", "CVE-2016-9936");
  script_xref(name:"ALAS", value:"2017-788");

  script_name(english:"Amazon Linux AMI : php70 (ALAS-2017-788)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The SplObjectStorage unserialize implementation in
ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key
is an object, which allows remote attackers to execute arbitrary code
or cause a denial of service (uninitialized memory access) via crafted
serialized data. (CVE-2016-7480)

Use-after-free vulnerability in the CURLFile implementation in
ext/curl/curl_file.c in PHP 7.x before 7.0.12 allows remote attackers
to cause a denial of service or possibly have unspecified other impact
via crafted serialized data that is mishandled during __wakeup
processing. (CVE-2016-9137)

Stack consumption vulnerability in the gdImageFillToBorder function in
gd.c in the GD Graphics Library (aka libgd) before 2.2.2, as used in
PHP 7.x before 7.0.13, allows remote attackers to cause a denial of
service (segmentation violation) via a crafted imagefilltoborder call
that triggers use of a negative color value. (CVE-2016-9933)

ext/wddx/wddx.c in PHP 7.x before 7.0.13 allows remote attackers to
cause a denial of service (NULL pointer dereference) via crafted
serialized data in a wddxPacket XML document, as demonstrated by a
PDORow string. (CVE-2016-9934)

The php_wddx_push_element function in ext/wddx/wddx.c in PHP 7.x
before 7.0.14 allows remote attackers to cause a denial of service
(out-of-bounds read and memory corruption) or possibly have
unspecified other impact via an empty boolean element in a wddxPacket
XML document. (CVE-2016-9935)

The unserialize implementation in ext/standard/var.c in PHP 7.x before
7.0.14 allows remote attackers to cause a denial of service
(use-after-free) or possibly have unspecified other impact via crafted
serialized data. This vulnerability exists because of an incomplete
fix for CVE-2015-6834 . (CVE-2016-9936)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2017-788.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update php70' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-bcmath");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-cli");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-dba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-dbg");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-debuginfo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-embedded");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-enchant");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-fpm");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-gd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-gmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-imap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-intl");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-json");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-ldap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-mbstring");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-mcrypt");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-mysqlnd");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-odbc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-opcache");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-pdo");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-pdo-dblib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-pgsql");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-process");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-pspell");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-recode");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-snmp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-soap");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-tidy");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-xml");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-xmlrpc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:php70-zip");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/01/26");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/27");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"php70-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-bcmath-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-cli-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-common-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-dba-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-dbg-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-debuginfo-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-devel-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-embedded-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-enchant-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-fpm-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-gd-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-gmp-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-imap-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-intl-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-json-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-ldap-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-mbstring-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-mcrypt-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-mysqlnd-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-odbc-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-opcache-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-pdo-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-pdo-dblib-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-pgsql-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-process-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-pspell-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-recode-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-snmp-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-soap-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-tidy-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-xml-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-xmlrpc-7.0.14-1.20.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"php70-zip-7.0.14-1.20.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php70 / php70-bcmath / php70-cli / php70-common / php70-dba / etc");
}
VendorProductVersionCPE
amazonlinuxphp70p-cpe:/a:amazon:linux:php70
amazonlinuxphp70-bcmathp-cpe:/a:amazon:linux:php70-bcmath
amazonlinuxphp70-clip-cpe:/a:amazon:linux:php70-cli
amazonlinuxphp70-commonp-cpe:/a:amazon:linux:php70-common
amazonlinuxphp70-dbap-cpe:/a:amazon:linux:php70-dba
amazonlinuxphp70-dbgp-cpe:/a:amazon:linux:php70-dbg
amazonlinuxphp70-debuginfop-cpe:/a:amazon:linux:php70-debuginfo
amazonlinuxphp70-develp-cpe:/a:amazon:linux:php70-devel
amazonlinuxphp70-embeddedp-cpe:/a:amazon:linux:php70-embedded
amazonlinuxphp70-enchantp-cpe:/a:amazon:linux:php70-enchant
Rows per page:
1-10 of 351

Related

amazon 3
openvas 48
nessus 55
slackware 2
debiancve 6
mageia 2
ibm 1
redhatcve 5
ubuntucve 9
prion 7
cve 7
osv 10
freebsd 3
debian 10
kaspersky 5
archlinux 1
suse 1
veracode 4
hackerone 3
zdt 1
ubuntu 3
cloudfoundry 1
thn 1
apple 2
fedora 3
securityvulns 2
f5 2
gentoo 1
exploitpack 1
amazon
amazon
Medium: php70
2017-01-26 18:00:00
Medium: php56
2017-01-26 18:00:00
Low: php54
2016-03-16 16:30:00
openvas
openvas
SUSE: Security Advisory (SUSE-SU-2017:0017-1)
2021-06-09 00:00:00
SUSE: Security Advisory (SUSE-SU-2017:0038-1)
2021-06-09 00:00:00
Slackware: Security Advisory (SSA:2016-347-03)
2022-04-21 00:00:00
nessus
nessus
SUSE SLES12 Security Update : php7 (SUSE-SU-2017:0017-1)
2019-01-02 00:00:00
openSUSE Security Update : php7 (openSUSE-2017-61)
2017-01-10 00:00:00
Amazon Linux AMI : php56 (ALAS-2017-787)
2017-01-27 00:00:00
slackware
slackware
[slackware-security] php
2016-12-12 23:11:02
[slackware-security] php
2015-10-01 21:35:28
debiancve
debiancve
CVE-2016-9936
2017-01-04 20:59:00
CVE-2016-7480
2017-01-11 07:59:00
CVE-2016-9137
2017-01-04 20:59:00
mageia
mageia
Updated php packages fix security vulnerability
2016-12-23 00:41:01
Updated php packages fix security vulnerabilities
2015-09-14 00:58:30
ibm
ibm
Security Bulletin: IBM Flex System Manager (FSM) is affected by php5 vulnerabilities (CVE-2016-9933, CVE-2016-9935)
2018-06-18 01:35:18
redhatcve
redhatcve
CVE-2016-9936
2016-12-14 14:47:50
CVE-2016-9137
2016-11-02 11:47:15
CVE-2016-9933
2016-12-14 14:17:37
ubuntucve
ubuntucve
CVE-2016-9936
2017-01-04 00:00:00
CVE-2016-9137
2017-01-04 00:00:00
CVE-2016-9933
2017-01-04 00:00:00
prion
prion
Design/Logic Flaw
2017-01-04 20:59:00
Design/Logic Flaw
2017-01-04 20:59:00
Stack overflow
2017-01-04 20:59:00
cve
cve
CVE-2016-9936
2017-01-04 20:59:00
CVE-2016-9137
2017-01-04 20:59:00
CVE-2016-9933
2017-01-04 20:59:00
osv
osv
CVE-2016-9936
2017-01-04 20:59:00
CVE-2016-9137
2017-01-04 20:59:00
CVE-2016-7480
2017-01-11 07:59:00
freebsd
freebsd
PHP -- multiple vulnerabilities
2016-12-08 00:00:00
PHP -- multiple vulnerabilities
2016-12-27 00:00:00
php -- multiple vulnerabilities
2015-09-03 00:00:00
debian
debian
[SECURITY] [DSA 3732-1] php5 security update
2016-12-13 10:11:46
[SECURITY] [DSA 3732-1] php5 security update
2016-12-13 10:11:46
[SECURITY] [DLA 758-1] libgd2 security update
2016-12-22 15:05:17
kaspersky
kaspersky
KLA10927 Denial of service vulnerabilities in PHP
2017-01-04 00:00:00
KLA10944 Denial of service and arbitrary code execution vulnerabilities in PHP
2017-01-11 00:00:00
KLA10930 Denial of service vulnerability in PHP
2017-01-04 00:00:00
archlinux
archlinux
[ASA-201701-28] php: multiple issues
2017-01-19 00:00:00
suse
suse
Security update for php5 (important)
2016-11-21 14:06:47
veracode
veracode
Denial Of Service (DoS) Through Memory Corruption
2019-05-16 02:59:58
Null Pointer Dereference
2019-05-16 02:59:58
Use After Free
2019-05-16 02:59:59
hackerone
hackerone
Internet Bug Bounty: Use After Free Vulnerability in unserialize() with SplObjectStorage
2015-08-27 00:00:00
Internet Bug Bounty: Use After Free Vulnerability in unserialize()
2015-07-31 00:00:00
Internet Bug Bounty: Use After Free Vulnerability in unserialize() with SplDoublyLinkedList
2015-08-27 00:00:00
zdt
zdt
PHP 7.0.13 Use After Free unserialize() PoC Exploit
2016-12-13 00:00:00
ubuntu
ubuntu
PHP vulnerabilities
2017-02-14 00:00:00
PHP regression
2017-03-02 00:00:00
PHP vulnerabilities
2017-02-23 00:00:00
cloudfoundry
cloudfoundry
Multiple PHP vulnerabilities | Cloud Foundry
2017-03-17 00:00:00
thn
thn
3 Critical Zero-Day Flaws Found in PHP 7 — One Remains Unpatched!
2016-12-28 23:45:00
apple
apple
About the security content of macOS Sierra 10.12.3 - Apple Support
2017-03-28 11:17:25
About the security content of macOS Sierra 10.12.3
2017-01-23 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: php-5.6.13-1.fc21
2015-09-14 22:23:26
[SECURITY] Fedora 22 Update: php-5.6.13-1.fc22
2015-09-14 23:22:46
[SECURITY] Fedora 23 Update: php-5.6.13-1.fc23
2015-09-18 19:33:49
securityvulns
securityvulns
PHP multiple security vulnerabilities
2015-09-15 00:00:00
[SECURITY] [DSA 3358-1] php5 security update
2015-09-15 00:00:00
f5
f5
K17377 : PHP vulnerabilities CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, and CVE-2015-6838
2015-10-08 00:00:00
SOL17377 - PHP vulnerabilities CVE-2015-6834, CVE-2015-6835, CVE-2015-6836, CVE-2015-6837, and CVE-2015-6838
2015-10-08 00:00:00
gentoo
gentoo
PHP: Multiple vulnerabilities
2017-02-21 00:00:00
exploitpack
exploitpack
Kerio Control Unified Threat Management 9.1.0 build 10879.1.1 build 1324 - Multiple Vulnerabilities
2016-09-22 00:00:00
JSON
Related for ALA_ALAS-2017-788.NASL
amazon3openvas48nessus55slackware2debiancve6mageia2ibm1redhatcve5ubuntucve9prion7cve7osv10freebsd3debian10kaspersky5archlinux1suse1veracode4hackerone3zdt1ubuntu3cloudfoundry1thn1apple2fedora3securityvulns2f52gentoo1exploitpack1