CVE-2016-3141
published 2016-03-31CVE-2016-3141: Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service…
PriorityP354critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
35.44%
98.2th percentile
Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | <= 10.11.4 | — |
| apple | os_x_el_capitan_v10.11.5_and_security_update_2016-003 | — | — |
| php | php | <= 5.5.32 | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php | php | — | — |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.16 | 5.5.9+dfsg-1ubuntu4.16 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger condition is a call to wddx_deserialize() on XML data containing a crafted var element — monitor for wddx_deserialize invocations on untrusted/remote input ↗
- →Vulnerable code resides in wddx.c within the WDDX extension (php-xml subpackage); systems without php-xml / wddx.so loaded are not affected — check for presence of wddx.so in loaded PHP extensions ↗
- →Reproducer available at upstream PHP bug tracker — useful for validating detection rules against known-malicious XML payloads ↗
- ·Mitigation: disable the WDDX extension by commenting out 'extension=wddx.so' in wddx.ini; php.d directory location varies by deployment ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
vendor_ubuntu4.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
PHP regression
vendor_ubuntu·2016-04-27·CVSS 4.3
CVE-2014-9767 [MEDIUM] PHP regression
Title: PHP regression
Summary: USN-2952-1 caused a regression in PHP.
USN-2952-1 fixed vulnerabilities in PHP. One of the backported patches
caused a regression in the PHP Soap client. This update fixes the problem.
We apologize for the inconvenience.
Original advisory details:
It was discovered that the PHP Zip extension incorrectly handled
directories when processing certain zip files. A remote attacker could
possibly use this issue to create arbitrary directories. (CVE-2014-9767)
It was discovered that the PHP Soap client incorrectly validated data
types. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-8835, CVE-2016-3185)
It was discovered that the PHP MySQL native driver incorrectly ha
Ubuntu
PHP vulnerabilities
vendor_ubuntu·2016-04-21·CVSS 4.3
CVE-2014-9767 [MEDIUM] PHP vulnerabilities
Title: PHP vulnerabilities
Summary: Several security issues were fixed in PHP.
It was discovered that the PHP Zip extension incorrectly handled
directories when processing certain zip files. A remote attacker could
possibly use this issue to create arbitrary directories. (CVE-2014-9767)
It was discovered that the PHP Soap client incorrectly validated data
types. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-8835, CVE-2016-3185)
It was discovered that the PHP MySQL native driver incorrectly handled TLS
connections to MySQL databases. A machine-in-the-middle attacker could possibly
use this issue to downgrade and snoop on TLS connections. This
vulnerability is known as BACKRONYM. (CVE-2015-883
Red Hat
php: Use after free in WDDX Deserialize when processing XML data
vendor_redhat·2016-02-14·CVSS 9.8
CVE-2016-3141 [CRITICAL] CWE-416 php: Use after free in WDDX Deserialize when processing XML data
php: Use after free in WDDX Deserialize when processing XML data
Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: php54-php (Red Hat Software Collections) - Will not fix
Package: php55-php (Red Hat Software Collections) - Will not fix
Apple
CVE-2016-3141: OS X El Capitan v10.11.5 and Security Update 2016-003
vendor_apple·CVSS 9.8
CVE-2016-3141 [CRITICAL] CVE-2016-3141: OS X El Capitan v10.11.5 and Security Update 2016-003
Apple Security Update: About the security content of OS X El Capitan v10.11.5 and Security Update 2016-003
Product: OS X El Capitan v10.11.5 and Security Update 2016-003
CVE: CVE-2016-3141
Component: CVE-2016-3141
GHSA
GHSA-29c3-272h-2rcq: Use-after-free vulnerability in wddx
ghsa_unreviewed·2022-05-14
CVE-2016-3141 [CRITICAL] CWE-119 GHSA-29c3-272h-2rcq: Use-after-free vulnerability in wddx
Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.
OSV
php5 vulnerabilities
osv·2016-04-21·CVSS 4.3
CVE-2014-9767 [MEDIUM] php5 vulnerabilities
php5 vulnerabilities
It was discovered that the PHP Zip extension incorrectly handled
directories when processing certain zip files. A remote attacker could
possibly use this issue to create arbitrary directories. (CVE-2014-9767)
It was discovered that the PHP Soap client incorrectly validated data
types. A remote attacker could use this issue to cause PHP to crash,
resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2015-8835, CVE-2016-3185)
It was discovered that the PHP MySQL native driver incorrectly handled TLS
connections to MySQL databases. A machine-in-the-middle attacker could possibly
use this issue to downgrade and snoop on TLS connections. This
vulnerability is known as BACKRONYM. (CVE-2015-8838)
It was discovered that PHP incorrectly handled the imag
OSV
CVE-2016-3141: Use-after-free vulnerability in wddx
osv·2016-03-31·CVSS 9.8
CVE-2016-3141 [CRITICAL] CVE-2016-3141: Use-after-free vulnerability in wddx
Use-after-free vulnerability in wddx.c in the WDDX extension in PHP before 5.5.33 and 5.6.x before 5.6.19 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact by triggering a wddx_deserialize call on XML data containing a crafted var element.
No detection rules found.
No public exploits indexed.
http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=b1bd4119bcafab6f9a8f84d92cd65eec3afefacehttp://lists.apple.com/archives/security-announce/2016/May/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00052.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00057.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00058.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2750.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.htmlhttp://www.securityfocus.com/bid/84271http://www.securitytracker.com/id/1035255http://www.ubuntu.com/usn/USN-2952-1http://www.ubuntu.com/usn/USN-2952-2https://bugs.php.net/bug.php?id=71587https://php.net/ChangeLog-5.phphttps://support.apple.com/HT206567http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=b1bd4119bcafab6f9a8f84d92cd65eec3afefacehttp://lists.apple.com/archives/security-announce/2016/May/msg00004.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00052.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00056.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00057.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00058.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2750.htmlhttp://www.oracle.com/technetwork/topics/security/bulletinoct2016-3090566.htmlhttp://www.securityfocus.com/bid/84271http://www.securitytracker.com/id/1035255http://www.ubuntu.com/usn/USN-2952-1http://www.ubuntu.com/usn/USN-2952-2https://bugs.php.net/bug.php?id=71587https://php.net/ChangeLog-5.phphttps://support.apple.com/HT206567
2016-03-31
Published