Bug 1112154 – CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1112154 - (CVE-2014-3515) CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw

Summary:	CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type conf...

Status:	CLOSED ERRATA

Aliases:	CVE-2014-3515

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20140709,reported=2...
Keywords:	Security

Depends On:	1080180 1119563 1119730 1120503 1120504 1120981 1149762 1149771
Blocks:	1065838 1112155 1149858
	Show dependency tree / graph

Reported:	2014-06-23 04:55 EDT by Huzaifa S. Sidhpurwala
Modified:	2015-11-25 05:09 EST (History)
CC List:	10 users (show)

See Also:
Fixed In Version:	php 5.3.29, php 5.4.30, php 5.5.14
Doc Type:	Bug Fix
Doc Text:	A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-10-31 05:50:53 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1012	normal	SHIPPED_LIVE	Moderate: php53 and php security update	2014-08-06 05:14:44 EDT
Red Hat Product Errata	RHSA-2014:1013	normal	SHIPPED_LIVE	Moderate: php security update	2014-08-06 06:05:17 EDT
Red Hat Product Errata	RHSA-2014:1765	normal	SHIPPED_LIVE	Important: php54-php security update	2014-10-30 19:45:24 EDT
Red Hat Product Errata	RHSA-2014:1766	normal	SHIPPED_LIVE	Important: php55-php security update	2014-10-30 19:45:12 EDT

Groups: None (edit)

Description Huzaifa S. Sidhpurwala 2014-06-23 04:55:21 EDT

A type confusion vulnerability was found in the unserialize() handlers of the SPL ArrayObject and SPLObjectStorage objects. If a remote attacker is able to pass aribrary data directly to these handlers, it may be possible for them to execute arbitrary code as the user running the php application

Comment 1 Remi Collet 2014-06-25 00:59:37 EDT

UPstream commit http://git.php.net/?p=php-src.git;a=commit;h=a374dfab567ff7f0ab0dc150f14cc891b0340b47

Comment 2 Tomas Hoger 2014-07-11 02:57:28 EDT

Fixed upstream in PHP 5.4.30 and 5.5.14:

http://php.net/ChangeLog-5.php#5.4.30
http://php.net/ChangeLog-5.php#5.5.14

Comment 7 Angelo Alvarez 2014-07-15 23:01:35 EDT

Can someone update https://access.redhat.com/security/cve/CVE-2014-3515 with vulnerable product info, so we know if PHP packages form RHEL-5 and RHEL-6 are affected??

Comment 9 Vincent Danen 2014-07-17 12:18:07 EDT

Statement:

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5.

Comment 11 Martin Prpič 2014-07-28 07:13:07 EDT

IssueDescription:

A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.

Comment 13 errata-xmlrpc 2014-08-06 01:15:37 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html

Comment 14 errata-xmlrpc 2014-08-06 02:06:11 EDT

This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1013 https://rhn.redhat.com/errata/RHSA-2014-1013.html

Comment 15 Tomas Hoger 2014-08-27 07:49:35 EDT

Write up of the issue from its reporter - Stefan Esser:

https://www.sektioneins.de/en/blog/14-08-27-unserialize-typeconfusion.html

Comment 18 errata-xmlrpc 2014-10-30 15:46:23 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 19 errata-xmlrpc 2014-10-30 15:47:55 EDT

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Note You need to log in before you can comment on or make changes to this bug.