Bug 2098521 (CVE-2022-31625) - CVE-2022-31625 php: Uninitialized array in pg_query_params() leading to RCE
Summary: CVE-2022-31625 php: Uninitialized array in pg_query_params() leading to RCE
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-31625
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2098529 2098531 2098532 2098533 2098534 2100755 2117141
Blocks: 2097923
TreeView+ depends on / blocked
 
Reported: 2022-06-20 04:41 UTC by TEJ RATHI
Modified: 2022-11-15 10:35 UTC (History)
6 users (show)

Fixed In Version: php 7.4.30, php 8.0.20, php 8.1.7
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in PHP due to an uninitialized array in pg_query_params() function. When using the Postgres database extension, supplying invalid parameters to the parameterized query may lead to PHP attempting to free memory, using uninitialized data as pointers. This flaw allows a remote attacker with the ability to control query parameters to execute arbitrary code on the system or may cause a denial of service.
Clone Of:
Environment:
Last Closed: 2022-07-04 15:42:41 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:5493 0 None None None 2022-07-04 11:38:20 UTC
Red Hat Product Errata RHSA-2022:5491 0 None None None 2022-07-04 07:43:18 UTC
Red Hat Product Errata RHSA-2022:6158 0 None None None 2022-08-24 17:16:50 UTC
Red Hat Product Errata RHSA-2022:7624 0 None None None 2022-11-08 09:51:35 UTC
Red Hat Product Errata RHSA-2022:8197 0 None None None 2022-11-15 10:35:35 UTC

Description TEJ RATHI 2022-06-20 04:41:10 UTC
In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service. 

References:
https://bugs.php.net/bug.php?id=81720
https://github.com/php/php-src/commit/55f6895f4b4c677272fd4ee1113acdbd99c4b5ab

Comment 1 Sandipan Roy 2022-06-20 05:02:41 UTC
Created php tracking bugs for this issue:

Affects: fedora-all [bug 2098529]

Comment 4 errata-xmlrpc 2022-07-04 07:43:16 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:5491 https://access.redhat.com/errata/RHSA-2022:5491

Comment 5 Product Security DevOps Team 2022-07-04 15:42:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31625

Comment 8 errata-xmlrpc 2022-08-24 17:16:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6158 https://access.redhat.com/errata/RHSA-2022:6158

Comment 9 errata-xmlrpc 2022-11-08 09:51:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7624 https://access.redhat.com/errata/RHSA-2022:7624

Comment 10 errata-xmlrpc 2022-11-15 10:35:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8197 https://access.redhat.com/errata/RHSA-2022:8197


Note You need to log in before you can comment on or make changes to this bug.