2170761 – (CVE-2023-0662) CVE-2023-0662 php: DoS vulnerability when parsing multipart request body

Bug 2170761 (CVE-2023-0662) - CVE-2023-0662 php: DoS vulnerability when parsing multipart request body

Summary: CVE-2023-0662 php: DoS vulnerability when parsing multipart request body

Keywords:
Status:	NEW
Alias:	CVE-2023-0662
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2170777 2170778 2174685 2174686 2174687 2174688 2174689
Blocks:	2170009
TreeView+	depends on / blocked

Reported:	2023-02-17 08:11 UTC by Sandipan Roy
Modified:	2024-01-24 10:53 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2023:6073	None	None	None	2023-10-24 10:36:04 UTC
Red Hat Product Errata	RHSA-2023:5926	None	None	None	2023-10-19 13:14:59 UTC
Red Hat Product Errata	RHSA-2023:5927	None	None	None	2023-10-19 13:24:32 UTC
Red Hat Product Errata	RHSA-2024:0387	None	None	None	2024-01-24 10:53:31 UTC

Description Sandipan Roy 2023-02-17 08:11:56 UTC

In PHP 8.0.X before 8.0.28, 8.1.X before 8.1.16 and 8.2.X before 8.2.3, excessive number of parts in HTTP form upload can cause high resource consumption and excessive number of log entries. This can cause denial of service on the affected server by exhausting CPU resources or disk space.

https://github.com/php/php-src/security/advisories/GHSA-54hq-v5wp-fqgv

Comment 1 Sandipan Roy 2023-02-17 08:41:11 UTC

Created php tracking bugs for this issue:

Affects: fedora-36 [bug 2170777]
Affects: fedora-37 [bug 2170778]

Comment 6 errata-xmlrpc 2023-10-19 13:14:57 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5926 https://access.redhat.com/errata/RHSA-2023:5926

Comment 7 errata-xmlrpc 2023-10-19 13:24:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5927 https://access.redhat.com/errata/RHSA-2023:5927

Comment 8 Ben 2024-01-10 13:08:57 UTC

Is there going to be a fix for Red Hat Enterprise Linux 9 running php:8.1/php, please?

Comment 9 errata-xmlrpc 2024-01-24 10:53:30 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0387 https://access.redhat.com/errata/RHSA-2024:0387

Note You need to log in before you can comment on or make changes to this bug.