1112154 – (CVE-2014-3515) CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw

Bug 1112154 (CVE-2014-3515) - CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw

Summary: CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type conf...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2014-3515
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1080180 1119563 1119730 1120503 1120504 1120981 1149762 1149771
Blocks:	1065838 1112155 1149858
TreeView+	depends on / blocked

Reported:	2014-06-23 08:55 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-02-17 06:27 UTC (History)
CC List:	10 users (show)
Fixed In Version:	php 5.3.29, php 5.4.30, php 5.5.14
Doc Type:	Bug Fix
Doc Text:	A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
Clone Of:
Environment:
Last Closed:	2014-10-31 09:50:53 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2014:1012	normal	SHIPPED_LIVE	Moderate: php53 and php security update	2014-08-06 09:14:44 UTC
Red Hat Product Errata	RHSA-2014:1013	normal	SHIPPED_LIVE	Moderate: php security update	2014-08-06 10:05:17 UTC
Red Hat Product Errata	RHSA-2014:1765	normal	SHIPPED_LIVE	Important: php54-php security update	2014-10-30 23:45:24 UTC
Red Hat Product Errata	RHSA-2014:1766	normal	SHIPPED_LIVE	Important: php55-php security update	2014-10-30 23:45:12 UTC

Description Huzaifa S. Sidhpurwala 2014-06-23 08:55:21 UTC

A type confusion vulnerability was found in the unserialize() handlers of the SPL ArrayObject and SPLObjectStorage objects. If a remote attacker is able to pass aribrary data directly to these handlers, it may be possible for them to execute arbitrary code as the user running the php application

Comment 1 Remi Collet 2014-06-25 04:59:37 UTC

UPstream commit http://git.php.net/?p=php-src.git;a=commit;h=a374dfab567ff7f0ab0dc150f14cc891b0340b47

Comment 2 Tomas Hoger 2014-07-11 06:57:28 UTC

Fixed upstream in PHP 5.4.30 and 5.5.14:

http://php.net/ChangeLog-5.php#5.4.30
http://php.net/ChangeLog-5.php#5.5.14

Comment 7 Angelo Alvarez 2014-07-16 03:01:35 UTC

Can someone update https://access.redhat.com/security/cve/CVE-2014-3515 with vulnerable product info, so we know if PHP packages form RHEL-5 and RHEL-6 are affected??

Comment 9 Vincent Danen 2014-07-17 16:18:07 UTC

Statement:

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5.

Comment 11 Martin Prpič 2014-07-28 11:13:07 UTC

IssueDescription:

A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.

Comment 13 errata-xmlrpc 2014-08-06 05:15:37 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html

Comment 14 errata-xmlrpc 2014-08-06 06:06:11 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1013 https://rhn.redhat.com/errata/RHSA-2014-1013.html

Comment 15 Tomas Hoger 2014-08-27 11:49:35 UTC

Write up of the issue from its reporter - Stefan Esser:

https://www.sektioneins.de/en/blog/14-08-27-unserialize-typeconfusion.html

Comment 18 errata-xmlrpc 2014-10-30 19:46:23 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 19 errata-xmlrpc 2014-10-30 19:47:55 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html

Note You need to log in before you can comment on or make changes to this bug.