CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
78.2%
An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before
7.2.8, and before 7.1.20. The php-fpm master process restarts a child
process in an endless loop when using program execution functions (e.g.,
passthru, exec, shell_exec, or system) with a non-blocking STDIN stream,
causing this master process to consume 100% of the CPU, and consume disk
space with a large volume of error logs, as demonstrated by an attack by a
customer of a shared-hosting facility.
Author | Note |
---|---|
leosilva | in 7.0 upstream patch caused a regression according with upstream that is the possible the missing patch: https://github.com/php/php-src/commit/cc5c51e7f0732067f105d13c6d355fcab5965c2f |
rodrigo-zaiden | php7.0 for xenial was released with above patch. |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 14.04 | noarch | php5 | <Â 5.5.9+dfsg-1ubuntu4.29+esm10 | UNKNOWN |
ubuntu | 16.04 | noarch | php7.0 | <Â 7.0.33-0ubuntu0.16.04.16+esm3 | UNKNOWN |
ubuntu | 18.04 | noarch | php7.2 | <Â 7.2.10-0ubuntu0.18.04.1 | UNKNOWN |
ubuntu | 18.10 | noarch | php7.2 | <Â 7.2.10-0ubuntu1 | UNKNOWN |
ubuntu | 19.04 | noarch | php7.2 | <Â 7.2.10-0ubuntu1 | UNKNOWN |
launchpad.net/bugs/cve/CVE-2015-9253
nvd.nist.gov/vuln/detail/CVE-2015-9253
security-tracker.debian.org/tracker/CVE-2015-9253
ubuntu.com/security/notices/USN-3766-1
ubuntu.com/security/notices/USN-4279-1
ubuntu.com/security/notices/USN-4279-2
ubuntu.com/security/notices/USN-5300-1
www.cve.org/CVERecord?id=CVE-2015-9253
www.futureweb.at/Futureweb-OG-php-fpm-master-process-restarts-child-process-in-a_pid,54177,type,firmeninfo.html
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
78.2%