CVE-2016-7480
published 2017-01-11CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
41.56%
98.5th percentile
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| php | php | >= 7.0.0 < 7.0.11 | 7.0.11 |
| php5 | php5 | >= 0 < 5.5.9+dfsg-1ubuntu4.20 | 5.5.9+dfsg-1ubuntu4.20 |
Detection & IOCsextracted from sources · hover to see the quote
- →Trigger vector is crafted serialized data sent to SplObjectStorage::unserialize() where a key is not an object — monitor for deserialization of untrusted input reaching SplObjectStorage in PHP < 7.0.12 ↗
- →Flag use of PHP's unserialize() on untrusted/remote input, particularly when SplObjectStorage objects are involved; the vulnerability is in the unserialize implementation of SplObjectStorage ↗
- ·Affected PHP versions are before 7.0.12; Red Hat marked all affected packages (php on RHEL 5/6/7, php53, rh-php56-php, rh-php70-php, OpenShift Enterprise 2) as 'Will not fix', so patching via upstream PHP 7.0.12+ is the remediation path ↗
- ·The vulnerability is specifically in the SplObjectStorage unserialize path; PHP's unserialize() on untrusted data is broadly unsafe beyond this CVE due to object instantiation and autoloading side-effects ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-35p7-xqgq-2gx7: The SplObjectStorage unserialize implementation in ext/spl/spl_observer
ghsa_unreviewed·2022-05-14
CVE-2016-7480 [CRITICAL] CWE-119 GHSA-35p7-xqgq-2gx7: The SplObjectStorage unserialize implementation in ext/spl/spl_observer
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
OSV
CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/spl_observer
osv·2017-01-11·CVSS 9.8
CVE-2016-7480 [CRITICAL] CVE-2016-7480: The SplObjectStorage unserialize implementation in ext/spl/spl_observer
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
Red Hat
php: Use of uninitialized value in SplObjectStorag::unserialize
vendor_redhat·2016-10-06·CVSS 9.8
CVE-2016-7480 [CRITICAL] CWE-456 php: Use of uninitialized value in SplObjectStorag::unserialize
php: Use of uninitialized value in SplObjectStorag::unserialize
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
Package: php (Red Hat Enterprise Linux 5) - Will not fix
Package: php53 (Red Hat Enterprise Linux 5) - Will not fix
Package: php (Red Hat Enterprise Linux 6) - Will not fix
Package: php (Red Hat Enterprise Linux 7) - Will not fix
Package: php (Red Hat OpenShift Enterprise 2) - Will not fix
Package: rh-php56-php (Red Hat Software Collections) - Will not fix
Package: rh-php70-php (Red Hat Software Collections) - Will not fix
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-7480 php: Use of uninitialized value in SplObjectStorag::unserialize
bugzilla·2017-01-25·CVSS 9.8
CVE-2016-7480 [CRITICAL] CVE-2016-7480 php: Use of uninitialized value in SplObjectStorag::unserialize
CVE-2016-7480 php: Use of uninitialized value in SplObjectStorag::unserialize
The SplObjectStorage unserialize implementation in ext/spl/spl_observer.c in PHP before 7.0.12 does not verify that a key is an object, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access) via crafted serialized data.
Upstream bug:
https://bugs.php.net/bug.php?id=73257
Upstream patch:
https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4
External References:
http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7/
Discussion:
This issue happens when untrusted input is being unserialized which is documented as being insecure. Unserialization can result in
arXiv
Static Detection of Uninitialized Stack Variables in Binary Code
arxiv_fulltext·2020-07-05
Static Detection of Uninitialized Stack Variables in Binary Code
Static Detection of Uninitialized Stack Variables in Binary Code
Static Detection of Uninitialized Stack Variables in Binary Code
Behrad Garmany
Martin Stoffel
Robert Gawlik
Thorsten Holz
Garmany et al.
Horst Görtz Institute for IT-Security (HGI)
Ruhr-Universität Bochum, Germany
\firstname.lastname\@rub.de
## Abstract
More than two decades after the first stack smashing attacks, memory
corruption vulnerabilities utilizing stack anomalies are still prevalent and
play an important role in practice. Among such vulnerabilities, uninitialized
variables play an exceptional role due to their unpleasant property of
unpredictability: as compilers are tailored to operate fast, costly
interprocedural analysis procedures are not used in practice to detect such
vulnerabilities. As a result, comple
http://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7http://blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdfhttp://php.net/ChangeLog-7.phphttp://www.securityfocus.com/bid/95152https://bugs.php.net/bug.php?id=73257https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4https://security.netapp.com/advisory/ntap-20180112-0001/https://www.youtube.com/watch?v=LDcaPstAuPkhttp://blog.checkpoint.com/2016/12/27/check-point-discovers-three-zero-day-vulnerabilities-web-programming-language-php-7http://blog.checkpoint.com/wp-content/uploads/2016/12/PHP_Technical_Report.pdfhttp://php.net/ChangeLog-7.phphttp://www.securityfocus.com/bid/95152https://bugs.php.net/bug.php?id=73257https://github.com/php/php-src/commit/61cdd1255d5b9c8453be71aacbbf682796ac77d4https://security.netapp.com/advisory/ntap-20180112-0001/https://www.youtube.com/watch?v=LDcaPstAuPk
2017-01-11
Published