CVE-2014-3515
First published: Wed Jul 09 2014(Updated: )
The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHP | <5.3.29 | |
| PHP | >=5.4.0<5.4.30 | |
| PHP | >=5.5.0<5.5.14 | |
| Debian GNU/Linux | =7.0 | |
| Debian GNU/Linux | =8.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.php.net/?p=php-src.git;a=commit;h=88223c5245e9b470e1e6362bfd96829562ffe6ab
- http://lists.opensuse.org/opensuse-updates/2014-09/msg00046.html
- http://marc.info/?l=bugtraq&m=141017844705317&w=2
- http://rhn.redhat.com/errata/RHSA-2014-1765.html
- http://rhn.redhat.com/errata/RHSA-2014-1766.html
- http://secunia.com/advisories/59794
- http://secunia.com/advisories/59831
- http://secunia.com/advisories/60998
- http://support.apple.com/kb/HT6443
- http://www-01.ibm.com/support/docview.wss?uid=swg21683486
- http://www.debian.org/security/2014/dsa-2974
- http://www.oracle.com/technetwork/topics/security/bulletinjan2015-2370101.html
- http://www.php.net/ChangeLog-5.php
- http://www.securityfocus.com/bid/68237
- https://bugs.php.net/bug.php?id=67492
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=88223c5245e9b470e1e6362bfd96829562ffe6ab
Frequently Asked Questions
What is the severity of CVE-2014-3515?
CVE-2014-3515 has a high severity rating due to its potential to allow arbitrary code execution.
How do I fix CVE-2014-3515?
To fix CVE-2014-3515, update PHP to versions 5.4.30, 5.5.14 or later.
Which versions of PHP are affected by CVE-2014-3515?
CVE-2014-3515 affects PHP versions before 5.4.30 and 5.5.x before 5.5.14.
Can CVE-2014-3515 be exploited remotely?
Yes, CVE-2014-3515 can be exploited remotely by attackers through crafted strings.
Is CVE-2014-3515 specific to certain operating systems?
CVE-2014-3515 is known to affect PHP on various platforms, including Debian GNU/Linux.
- agent/type
- agent/remedy
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/references
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/description
- agent/source
- agent/softwarecombine
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/php
- canonical/php
- version/php/5.4.0
- version/php/5.5.0
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/7.0
- version/debian gnu/linux/8.0