Detections
Analytics

GLSA-202209-20 : PHP: Multiple Vulnerabilities

critical Nessus Plugin ID 165627

Language:

Description

The remote host is affected by the vulnerability described in GLSA-202209-20 (PHP: Multiple Vulnerabilities)

 - In PHP versions 7.3.x up to and including 7.3.31, 7.4.x below 7.4.25 and 8.0.x below 8.0.12, when running PHP FPM SAPI with main FPM daemon process running as root and child worker processes running as lower- privileged users, it is possible for the child processes to access memory shared with the main process and write to it, modifying it in a way that would cause the root process to conduct invalid memory reads and writes, which can be used to escalate privileges from local unprivileged user to the root user.
 (CVE-2021-21703)

 - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using Firebird PDO driver extension, a malicious database server could cause crashes in various database functions, such as getAttribute(), execute(), fetch() and others by returning invalid response data that is not parsed correctly by the driver. This can result in crashes, denial of service or potentially memory corruption.
 (CVE-2021-21704)

 - In PHP versions 7.3.x below 7.3.29, 7.4.x below 7.4.21 and 8.0.x below 8.0.8, when using URL validation functionality via filter_var() function with FILTER_VALIDATE_URL parameter, an URL with invalid password field can be accepted as valid. This can lead to the code incorrectly parsing the URL and potentially leading to other security implications - like contacting a wrong server or making a wrong access decision.
 (CVE-2021-21705)

 - In PHP versions 7.4.x below 7.4.28, 8.0.x below 8.0.16, and 8.1.x below 8.1.3, when using filter functions with FILTER_VALIDATE_FLOAT filter and min/max limits, if the filter fails, there is a possibility to trigger use of allocated memory after free, which can result it crashes, and potentially in overwrite of other memory chunks and RCE. This issue affects: code that uses FILTER_VALIDATE_FLOAT with min/max limits.
 (CVE-2021-21708)

 - In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when using Postgres database extension, supplying invalid parameters to the parametrized query may lead to PHP attempting to free memory using uninitialized data as pointers. This could lead to RCE vulnerability or denial of service. (CVE-2022-31625)

 - In PHP versions 7.4.x below 7.4.30, 8.0.x below 8.0.20, and 8.1.x below 8.1.7, when pdo_mysql extension with mysqlnd driver, if the third party is allowed to supply host to connect to and the password for the connection, password of excessive length can trigger a buffer overflow in PHP, which can lead to a remote code execution vulnerability. (CVE-2022-31626)

 - In PHP versions 8.1.x below 8.1.8, when fileinfo functions, such as finfo_buffer, due to incorrect patch applied to the third party code from libmagic, incorrect function may be used to free allocated memory, which may lead to heap corruption. (CVE-2022-31627)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

All PHP 7.4 users should upgrade to the latest version:

 # emerge --sync # emerge --ask --oneshot --verbose >=dev-lang/php-7.4.30:7.4 All PHP 8.0 users should upgrade to the latest version:

 # emerge --sync # emerge --ask --oneshot --verbose >=dev-lang/php-8.0.23:8.0 All PHP 8.1 users should upgrade to the latest version:

 # emerge --sync # emerge --ask --oneshot --verbose >=dev-lang/php-8.1.8:8.1

See Also

https://security.gentoo.org/glsa/202209-20

https://bugs.gentoo.org/show_bug.cgi?id=799776

https://bugs.gentoo.org/show_bug.cgi?id=810526

https://bugs.gentoo.org/show_bug.cgi?id=819510

https://bugs.gentoo.org/show_bug.cgi?id=833585

https://bugs.gentoo.org/show_bug.cgi?id=850772

https://bugs.gentoo.org/show_bug.cgi?id=857054

Plugin Details

Severity: Critical

ID: 165627

File Name: gentoo_GLSA-202209-20.nasl

Version: 1.3

Type: local

Published: 10/3/2022

Updated: 10/10/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Medium

Base Score: 6.9

Temporal Score: 5.7

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

CVSS Score Source: CVE-2021-21703

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

CVSS Score Source: CVE-2022-31627

Vulnerability Information

CPE: cpe:/o:gentoo:linux, p-cpe:/a:gentoo:linux:php

Required KB Items: Host/local_checks_enabled, Host/Gentoo/release, Host/Gentoo/qpkg-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/29/2022

Vulnerability Publication Date: 7/22/2021

Reference Information

CVE: CVE-2021-21703, CVE-2021-21704, CVE-2021-21705, CVE-2021-21708, CVE-2022-31625, CVE-2022-31626, CVE-2022-31627