Bug 2170761 (CVE-2023-0662)
Summary: | CVE-2023-0662 php: DoS vulnerability when parsing multipart request body | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sandipan Roy <saroy> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | NEW --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ben.argyle, hhorak, jcadmus, jorton, kyoshida, rcollet |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A vulnerability was found in PHP. This security flaw occurs when the request body parsing in PHP allows any unauthenticated attacker to consume a large amount of CPU time and trigger excessive logging. A large amount of CPU time required for processing requests can block all available worker processes and significantly delay or slow the processing of legitimate user requests. The large volume of warning messages can wear down the disk and fill it up. A complete denial of service is achievable by sending many concurrent multipart requests in a loop. PHP parses the request body before invoking any application scripts. This vulnerability affects all PHP websites that accept POST request bodies (post_max_size set to a value greater than zero, the default value is 8MB).
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 2170777, 2170778, 2174685, 2174686, 2174687, 2174688, 2174689 | ||
Bug Blocks: | 2170009 |
Description
Sandipan Roy
2023-02-17 08:11:56 UTC
Created php tracking bugs for this issue: Affects: fedora-36 [bug 2170777] Affects: fedora-37 [bug 2170778] This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5926 https://access.redhat.com/errata/RHSA-2023:5926 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5927 https://access.redhat.com/errata/RHSA-2023:5927 Is there going to be a fix for Red Hat Enterprise Linux 9 running php:8.1/php, please? This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2024:0387 https://access.redhat.com/errata/RHSA-2024:0387 |