CVE-2014-8142
published 2014-12-20CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x…
PriorityP266high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
53.17%
98.8th percentile
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
Affected
62 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | <= 5.4.36 | — |
| php | php | <= 5.4.35 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability is triggered via a crafted unserialize() call exploiting improper handling of duplicate numerical keys within serialized object properties; monitor PHP applications accepting serialized user input via unserialize(). ↗
- →In eFront 3.6.15, the vulnerable injection point is the 'transfered' GET parameter passed to professor.php?ctg=copy, which is directly passed to unserialize() without sanitization. ↗
- →The vulnerable code path is process_nested_data() in ext/standard/var_unserializer.re; PHP versions before 5.4.36, 5.5.20, and 5.6.4 are affected. PHP >= 5.3.9 and < 5.3.3 are also potentially affected. ↗
- →Crash signature in GDB: SIGSEGV in zend_get_class_entry() called from object_common2() in var_unserializer.c, triggered by php_var_unserialize() / zif_unserialize(); useful for confirming exploitation attempts in crash dumps. ↗
- ·PHP versions shipped with Red Hat Enterprise Linux 5 and 6, and php53 on RHEL5, are NOT affected by CVE-2014-8142. ↗
- ·The process_nested_data() function is exposed in Tenable SecurityCenter only to authenticated users, reducing the remote attack surface in that product. ↗
- ·The eFront 3.6.15 exploitation requires authentication as a Professor role; unauthenticated exploitation is not demonstrated. ↗
- ·The upstream fix for CVE-2014-8142 was incomplete; CVE-2015-0231 was assigned to the incomplete fix, and both must be addressed together. ↗
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2015-02-17·CVSS 7.5
CVE-2014-8142 [HIGH] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
Stefan Esser discovered that PHP incorrectly handled unserializing objects.
A remote attacker could use this issue to cause PHP to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2014-8142,
CVE-2015-0231)
Brian Carpenter discovered that the PHP CGI component incorrectly handled
invalid files. A local attacker could use this issue to obtain sensitive
information, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427)
It was discovered that PHP incorrectly handled certain pascal strings in
the fileinfo extension. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. This
Red Hat
php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
vendor_redhat·2015-01-01·CVSS 7.5
CVE-2015-0231 [HIGH] CWE-416 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
A use-after-free flaw was found in the way PHP's unserialize() function processed data. If a remote attacker was able to pass crafted input to PHP's unserialize() function, they could cause the PHP interpreter to crash or, possibly, execute arbitrary code.
Statement: This iss
Red Hat
php: use after free vulnerability in unserialize()
vendor_redhat·2014-12-18·CVSS 10.0
CVE-2014-8142 [CRITICAL] CWE-416 php: use after free vulnerability in unserialize()
php: use after free vulnerability in unserialize()
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
A flaws was discovered in the way PHP performed object unserialization. Specially crafted input processed by the unserialize() function could cause a PHP application to crash or, possibly, execute arbitrary code.
Statement: This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5 and 6 or the versions of php53 as shipped
GHSA
GHSA-mq7m-72cj-7m7m: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer
ghsa_unreviewed·2022-05-17·CVSS 10.0
CVE-2014-8142 [CRITICAL] GHSA-mq7m-72cj-7m7m: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
GHSA
GHSA-5394-7mcx-63pv: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer
ghsa_unreviewed·2022-05-17·CVSS 7.5
CVE-2015-0231 [HIGH] GHSA-5394-7mcx-63pv: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
OSV
php5 vulnerabilities
osv·2015-02-17·CVSS 7.5
CVE-2014-8142 [HIGH] php5 vulnerabilities
php5 vulnerabilities
Stefan Esser discovered that PHP incorrectly handled unserializing objects.
A remote attacker could use this issue to cause PHP to crash, resulting in
a denial of service, or possibly execute arbitrary code. (CVE-2014-8142,
CVE-2015-0231)
Brian Carpenter discovered that the PHP CGI component incorrectly handled
invalid files. A local attacker could use this issue to obtain sensitive
information, or possibly execute arbitrary code. This issue only affected
Ubuntu 14.04 LTS and Ubuntu 14.10. (CVE-2014-9427)
It was discovered that PHP incorrectly handled certain pascal strings in
the fileinfo extension. A remote attacker could possibly use this issue to
cause PHP to crash, resulting in a denial of service. This issue only
affected Ubuntu 14.04 LTS and Ubuntu 14.10. (CV
OSV
CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer
osv·2015-01-27·CVSS 7.5
CVE-2015-0231 [HIGH] CVE-2015-0231: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate numerical keys within the serialized properties of an object. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-8142.
OSV
CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer
osv·2014-12-20·CVSS 10.0
CVE-2014-8142 [CRITICAL] CVE-2014-8142: Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer
Use-after-free vulnerability in the process_nested_data function in ext/standard/var_unserializer.re in PHP before 5.4.36, 5.5.x before 5.5.20, and 5.6.x before 5.6.4 allows remote attackers to execute arbitrary code via a crafted unserialize call that leverages improper handling of duplicate keys within the serialized properties of an object, a different vulnerability than CVE-2004-1019.
No detection rules found.
Bugzilla
CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
bugzilla·2015-01-23·CVSS 7.5
CVE-2015-0231 [HIGH] CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
CVE-2015-0231 php: use after free vulnerability in unserialize() (incomplete fix of CVE-2014-8142)
It was discovered that the fix for CVE-2014-8142 (use after free vulnerability in unserialize(), see bug 1175718) was incomplete.
Upstream bug:
https://bugs.php.net/bug.php?id=68710
Upstream commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=b585a3aed7880a5fa5c18e2b838fc96f40e075bd
Discussion:
Fixed upstream in PHP 5.6.5, 5.5.21, and 5.4.37:
http://php.net/ChangeLog-5.php#5.6.5
http://php.net/ChangeLog-5.php#5.5.21
http://php.net/ChangeLog-5.php#5.4.37
---
When will updated package for php-5.3.3 in RHEL6 release?
---
AS for CVE-2014-8142, PHP 5.3 is not affected but this vulnerability.
---
(this is not redhat system below)
PHP 5.3.3 may not be affected, but my PHP 5.3.29 do
Bugzilla
CVE-2014-8142 php: use after free vulnerability in unserialize() [fedora-all]
bugzilla·2014-12-19·CVSS 7.5
CVE-2014-8142 [HIGH] CVE-2014-8142 php: use after free vulnerability in unserialize() [fedora-all]
CVE-2014-8142 php: use after free vulnerability in unserialize() [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of
Bugzilla
CVE-2014-8142 php: use after free vulnerability in unserialize()
bugzilla·2014-12-18·CVSS 7.5
CVE-2014-8142 [HIGH] CVE-2014-8142 php: use after free vulnerability in unserialize()
CVE-2014-8142 php: use after free vulnerability in unserialize()
A use-after-free flaw was found in PHP unserialize(). An untrusted input could cause PHP interpreter to crash or, possibly, execute arbitrary code when processed using unserialize().
Upstream bug (currently private):
https://bugs.php.net/bug.php?id=68594
Upstream commit:
http://git.php.net/?p=php-src.git;a=commitdiff;h=630f9c33c23639de85c3fd306b209b538b73b4c9
http://git.php.net/?p=php-src.git;a=commitdiff;h=53f129a44d3c4ec0fae57993b9ae2f6cb48973cc
Note that unserialize() is unsafe for use on untrusted inputs, as is documented in the PHP manual for the function:
http://php.net/manual/en/function.unserialize.php
Discussion:
Statement:
This issue did not affect the versions of php as shipped with Red Hat Enterprise Lin
Tenable
[R5] Tenable Products Affected by PHP < 5.5.21 / 5.4.37 Vulnerabilities
blogs_tenable·2015-02-03
[R5] Tenable Products Affected by PHP < 5.5.21 / 5.4.37 Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=630f9c33c23639de85c3fd306b209b538b73b4c9http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00029.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00079.htmlhttp://marc.info/?l=bugtraq&m=143403519711434&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://php.net/ChangeLog-5.phphttp://rhn.redhat.com/errata/RHSA-2015-1053.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1135.htmlhttp://www.debian.org/security/2014/dsa-3117http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/71791https://bugs.php.net/bug.php?id=68594https://bugzilla.redhat.com/show_bug.cgi?id=1175718https://security.gentoo.org/glsa/201503-03http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=630f9c33c23639de85c3fd306b209b538b73b4c9http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00029.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00079.htmlhttp://marc.info/?l=bugtraq&m=143403519711434&w=2http://marc.info/?l=bugtraq&m=143748090628601&w=2http://marc.info/?l=bugtraq&m=144050155601375&w=2http://php.net/ChangeLog-5.phphttp://rhn.redhat.com/errata/RHSA-2015-1053.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1066.htmlhttp://rhn.redhat.com/errata/RHSA-2015-1135.htmlhttp://www.debian.org/security/2014/dsa-3117http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/71791https://bugs.php.net/bug.php?id=68594https://bugzilla.redhat.com/show_bug.cgi?id=1175718https://security.gentoo.org/glsa/201503-03
2014-12-20
Published