Ubuntu.comUB:CVE-2015-9253CVE-2015-9253
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
0.006 Low
EPSS
Percentile
77.9%
An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before
7.2.8, and before 7.1.20. The php-fpm master process restarts a child
process in an endless loop when using program execution functions (e.g.,
passthru, exec, shell_exec, or system) with a non-blocking STDIN stream,
causing this master process to consume 100% of the CPU, and consume disk
space with a large volume of error logs, as demonstrated by an attack by a
customer of a shared-hosting facility.
Bugs
- <https://bugs.php.net/bug.php?id=70185 (php 5.4)>
- <https://bugs.php.net/bug.php?id=75968 (php 7.2)>
- <https://bugs.php.net/bug.php?id=73342>
- <https://bugs.launchpad.net/ubuntu/+source/php7.0/+bug/1863850 (regression)>
Notes
| Author | Note |
|---|---|
| leosilva | in 7.0 upstream patch caused a regression according with upstream that is the possible the missing patch: https://github.com/php/php-src/commit/cc5c51e7f0732067f105d13c6d355fcab5965c2f |
| rodrigo-zaiden | php7.0 for xenial was released with above patch. |
| OS | Version | Architecture | Package | Version | Filename |
|---|---|---|---|---|---|
| ubuntu | 14.04 | noarch | php5 | < 5.5.9+dfsg-1ubuntu4.29+esm10) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
| ubuntu | 16.04 | noarch | php7.0 | < 7.0.33-0ubuntu0.16.04.16+esm3) Available with Ubuntu Pro or Ubuntu Pro (Infra-only | UNKNOWN |
| ubuntu | 18.04 | noarch | php7.2 | < 7.2.10-0ubuntu0.18.04.1 | UNKNOWN |
| ubuntu | 18.10 | noarch | php7.2 | < 7.2.10-0ubuntu1 | UNKNOWN |
| ubuntu | 19.04 | noarch | php7.2 | < 7.2.10-0ubuntu1 | UNKNOWN |
References
launchpad.net/bugs/cve/CVE-2015-9253
nvd.nist.gov/vuln/detail/CVE-2015-9253
security-tracker.debian.org/tracker/CVE-2015-9253
ubuntu.com/security/notices/USN-3766-1
ubuntu.com/security/notices/USN-4279-1
ubuntu.com/security/notices/USN-4279-2
ubuntu.com/security/notices/USN-5300-1
www.cve.org/CVERecord?id=CVE-2015-9253
www.futureweb.at/Futureweb-OG-php-fpm-master-process-restarts-child-process-in-a_pid,54177,type,firmeninfo.html
Related
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
0.006 Low
EPSS
Percentile
77.9%