CVE-2014-3515
published 2014-07-09CVE-2014-3515: The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after…
PriorityP265high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
30.13%
98.0th percentile
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| php | php | < 5.3.29 | 5.3.29 |
| php | php | >= 5.4.0 < 5.4.30 | 5.4.30 |
| php | php | >= 5.5.0 < 5.5.14 | 5.5.14 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.3 | 5.5.9+dfsg-1ubuntu4.3 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2014-3515 exploitation attempts by inspecting POST body for serialized SplObjectStorage payloads containing the 'C:16:"SplObjectStorage"' token combined with embedded object type confusion markers (e.g. double-precision float near zero, raw byte sequences). ↗
- →Monitor POST requests to set.php and GET requests to contentLoader.php with arbitrary k_securityHash values (any non-empty string bypasses CSRF check), especially when the body contains serialized PHP data structures targeting SplObjectStorage or ArrayObject. ↗
- →Alert on unserialize() calls in PHP applications receiving attacker-controlled input where the serialized string encodes SPLObjectStorage or ArrayObject class types, as these are the two affected classes for CVE-2014-3515. ↗
- →Flag PHP versions below 5.4.30 or 5.5.x below 5.5.14 running internet-facing applications that call unserialize() on user-supplied data, as these are the vulnerable version ranges for CVE-2014-3515. ↗
- ·The exploit payload targeting Kerio Control uses hardcoded offsets specific to one binary build; it will not work against other versions or builds without modification. ↗
- ·CVE-2014-3515 did not affect PHP as shipped with Red Hat Enterprise Linux 5. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu6.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
vendor_redhat·2014-07-09·CVSS 7.5
CVE-2014-3515 [HIGH] CWE-843 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2014-07-09·CVSS 6.5
CVE-2014-0207 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Francisco Alonso discovered that the PHP Fileinfo component incorrectly
handled certain CDF documents. A remote attacker could use this issue to
cause PHP to hang or crash, resulting in a denial of service.
(CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487)
Stefan Esser discovered that PHP incorrectly handled unserializing SPL
extension objects. An attacker could use this issue to execute arbitrary
code. (CVE-2014-3515)
It was discovered that PHP incorrectly handled certain SPL Iterators. An
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2014-4670)
It was discovered that PHP incorrectly handled certain ArrayIterators. An
attacker could us
GHSA
GHSA-x775-rjw6-fgf2: The SPL component in PHP before 5
ghsa_unreviewed·2022-05-17
CVE-2014-3515 [HIGH] GHSA-x775-rjw6-fgf2: The SPL component in PHP before 5
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
OSV
CVE-2014-3515: The SPL component in PHP before 5
osv·2014-07-09·CVSS 7.5
CVE-2014-3515 [HIGH] CVE-2014-3515: The SPL component in PHP before 5
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
OSV
php5 vulnerabilities
osv·2014-07-09·CVSS 6.5
CVE-2014-0207 [MEDIUM] php5 vulnerabilities
php5 vulnerabilities
Francisco Alonso discovered that the PHP Fileinfo component incorrectly
handled certain CDF documents. A remote attacker could use this issue to
cause PHP to hang or crash, resulting in a denial of service.
(CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487)
Stefan Esser discovered that PHP incorrectly handled unserializing SPL
extension objects. An attacker could use this issue to execute arbitrary
code. (CVE-2014-3515)
It was discovered that PHP incorrectly handled certain SPL Iterators. An
attacker could use this issue to cause PHP to crash, resulting in a denial
of service. (CVE-2014-4670)
It was discovered that PHP incorrectly handled certain ArrayIterators. An
attacker could use this issue to cause PHP to crash, resulting in a denial
o
No detection rules found.
arXiv
Towards Vulnerability Discovery Using Staged Program Analysis
arxiv_fulltext·2016-04-06
Towards Vulnerability Discovery Using Staged Program Analysis
Towards Vulnerability Discovery Using Staged Program Analysis
Bhargava Shastry1 Fabian Yamaguchi2
Konrad Rieck2
Jean-Pierre Seifert1
Security in Telecommunications, TU Berlin, Germany
Institute of System Security, TU Braunschweig, Germany
## Abstract
Eliminating vulnerabilities from low-level code is vital for securing software.
Static analysis is a promising approach for discovering vulnerabilities since it can provide developers early feedback on the code they write.
But, it presents multiple challenges not the least of which is understanding what makes a bug exploitable and conveying this information to the developer.
In this paper, we present the design and implementation of a practical vulnerability assessment framework, called .
performs data and control flow analysis to diagnos
Bugzilla
CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
bugzilla·2014-06-23·CVSS 7.5
CVE-2014-3515 [HIGH] CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
CVE-2014-3515 php: unserialize() SPL ArrayObject / SPLObjectStorage type confusion flaw
A type confusion vulnerability was found in the unserialize() handlers of the SPL ArrayObject and SPLObjectStorage objects. If a remote attacker is able to pass aribrary data directly to these handlers, it may be possible for them to execute arbitrary code as the user running the php application
Discussion:
UPstream commit http://git.php.net/?p=php-src.git;a=commit;h=a374dfab567ff7f0ab0dc150f14cc891b0340b47
---
Fixed upstream in PHP 5.4.30 and 5.5.14:
http://php.net/ChangeLog-5.php#5.4.30
http://php.net/ChangeLog-5.php#5.5.14
---
Can someone update https://access.redhat.com/security/cve/CVE-2014-3515 with vulnerable product info, so we know if PHP packages form RHEL-5 and RHEL-6 are affected??
Tenable
[R6] SecurityCenter Affected by Multiple Third-party Library Vulnerabilities
blogs_tenable·2014-07-16
[R6] SecurityCenter Affected by Multiple Third-party Library Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=88223c5245e9b470e1e6362bfd96829562ffe6abhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00046.htmlhttp://marc.info/?l=bugtraq&m=141017844705317&w=2http://rhn.redhat.com/errata/RHSA-2014-1765.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1766.htmlhttp://secunia.com/advisories/59794http://secunia.com/advisories/59831http://secunia.com/advisories/60998http://support.apple.com/kb/HT6443http://www-01.ibm.com/support/docview.wss?uid=swg21683486http://www.debian.org/security/2014/dsa-2974http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.php.net/ChangeLog-5.phphttp://www.securityfocus.com/bid/68237https://bugs.php.net/bug.php?id=67492http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=88223c5245e9b470e1e6362bfd96829562ffe6abhttp://lists.opensuse.org/opensuse-updates/2014-09/msg00046.htmlhttp://marc.info/?l=bugtraq&m=141017844705317&w=2http://rhn.redhat.com/errata/RHSA-2014-1765.htmlhttp://rhn.redhat.com/errata/RHSA-2014-1766.htmlhttp://secunia.com/advisories/59794http://secunia.com/advisories/59831http://secunia.com/advisories/60998http://support.apple.com/kb/HT6443http://www-01.ibm.com/support/docview.wss?uid=swg21683486http://www.debian.org/security/2014/dsa-2974http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.php.net/ChangeLog-5.phphttp://www.securityfocus.com/bid/68237https://bugs.php.net/bug.php?id=67492
2014-07-09
Published