Bug 1112154 (CVE-2014-3515) - CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
Summary: CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type conf...
Status: CLOSED ERRATA
Alias: CVE-2014-3515
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,public=20140709,reported=2...
Keywords: Security
Depends On: 1080180 1119563 1119730 1120503 1120504 1120981 1149762 1149771
Blocks: 1065838 1112155 1149858
TreeView+ depends on / blocked
 
Reported: 2014-06-23 08:55 UTC by Huzaifa S. Sidhpurwala
Modified: 2018-12-09 18:01 UTC (History)
10 users (show)

Fixed In Version: php 5.3.29, php 5.4.30, php 5.5.14
Doc Type: Bug Fix
Doc Text:
A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-31 09:50:53 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:1012 normal SHIPPED_LIVE Moderate: php53 and php security update 2014-08-06 09:14:44 UTC
Red Hat Product Errata RHSA-2014:1013 normal SHIPPED_LIVE Moderate: php security update 2014-08-06 10:05:17 UTC
Red Hat Product Errata RHSA-2014:1765 normal SHIPPED_LIVE Important: php54-php security update 2014-10-30 23:45:24 UTC
Red Hat Product Errata RHSA-2014:1766 normal SHIPPED_LIVE Important: php55-php security update 2014-10-30 23:45:12 UTC

Description Huzaifa S. Sidhpurwala 2014-06-23 08:55:21 UTC
A type confusion vulnerability was found in the unserialize() handlers of the SPL ArrayObject and SPLObjectStorage objects. If a remote attacker is able to pass aribrary data directly to these handlers, it may be possible for them to execute arbitrary code as the user running the php application

Comment 2 Tomas Hoger 2014-07-11 06:57:28 UTC
Fixed upstream in PHP 5.4.30 and 5.5.14:

http://php.net/ChangeLog-5.php#5.4.30
http://php.net/ChangeLog-5.php#5.5.14

Comment 7 Angelo Alvarez 2014-07-16 03:01:35 UTC
Can someone update https://access.redhat.com/security/cve/CVE-2014-3515 with vulnerable product info, so we know if PHP packages form RHEL-5 and RHEL-6 are affected??

Comment 9 Vincent Danen 2014-07-17 16:18:07 UTC
Statement:

This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5.

Comment 11 Martin Prpič 2014-07-28 11:13:07 UTC
IssueDescription:

A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.

Comment 13 errata-xmlrpc 2014-08-06 05:15:37 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6
  Red Hat Enterprise Linux 5

Via RHSA-2014:1012 https://rhn.redhat.com/errata/RHSA-2014-1012.html

Comment 14 errata-xmlrpc 2014-08-06 06:06:11 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 7

Via RHSA-2014:1013 https://rhn.redhat.com/errata/RHSA-2014-1013.html

Comment 15 Tomas Hoger 2014-08-27 11:49:35 UTC
Write up of the issue from its reporter - Stefan Esser:

https://www.sektioneins.de/en/blog/14-08-27-unserialize-typeconfusion.html

Comment 18 errata-xmlrpc 2014-10-30 19:46:23 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1766 https://rhn.redhat.com/errata/RHSA-2014-1766.html

Comment 19 errata-xmlrpc 2014-10-30 19:47:55 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections 1 for Red Hat Enterprise Linux 7
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.5 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.4 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6.6 EUS
  Red Hat Software Collections 1 for Red Hat Enterprise Linux 6

Via RHSA-2014:1765 https://rhn.redhat.com/errata/RHSA-2014-1765.html


Note You need to log in before you can comment on or make changes to this bug.