CVE-2015-9253
First published: Mon Feb 19 2018(Updated: )
An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| PHP PHP | <7.1.20 | |
| PHP PHP | >=7.2.0<7.2.8 | |
| PHP PHP | =7.3.0-alpha1 | |
| PHP PHP | =7.3.0-alpha2 | |
| debian/php5 | ||
| debian/php7.0 | ||
| debian/php7.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugs.php.net/bug.php?id=70185
- https://bugs.php.net/bug.php?id=73342https://github.com/php/php-src/pull/3287
- https://bugs.php.net/bug.php?id=75968
- https://github.com/php/php-src/blob/PHP-7.1.20/NEWS#L20-L22
- https://github.com/php/php-src/commit/69dee5c732fe982c82edb17d0dbc3e79a47748d8
- https://usn.ubuntu.com/3766-1/
- https://usn.ubuntu.com/4279-1/
- https://www.futureweb.at/security/CVE-2015-9253/
- https://launchpad.net/bugs/cve/CVE-2015-9253
- https://bugs.php.net/bug.php?id=73342
- https://security-tracker.debian.org/tracker/CVE-2015-9253
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9253
- https://nvd.nist.gov/vuln/detail/CVE-2015-9253
- https://ubuntu.com/security/CVE-2015-9253
Frequently Asked Questions
What is CVE-2015-9253?
CVE-2015-9253 is a vulnerability discovered in PHP versions 7.3.x, 7.2.x, and 7.1.x that causes the php-fpm master process to restart a child process in an endless loop when using program execution functions with a non-blocking STDIN stream.
What is the severity of CVE-2015-9253?
CVE-2015-9253 has a severity score of 6.5, which is considered medium.
Which versions of PHP are affected by CVE-2015-9253?
PHP versions 7.3.x, 7.2.x, and 7.1.x are affected by CVE-2015-9253.
How can I fix the CVE-2015-9253 vulnerability?
To fix the CVE-2015-9253 vulnerability, you should update PHP to version 7.3.0alpha3, 7.2.8, or 7.1.20, depending on the affected version.
Where can I find more information about CVE-2015-9253?
You can find more information about CVE-2015-9253 at the following references: [https://bugs.php.net/bug.php?id=70185](https://bugs.php.net/bug.php?id=70185), [https://bugs.php.net/bug.php?id=75968](https://bugs.php.net/bug.php?id=75968), [https://www.futureweb.at/security/CVE-2015-9253/](https://www.futureweb.at/security/CVE-2015-9253/)
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/description
- agent/severity
- agent/weakness
- agent/remedy
- agent/references
- collector/security-tracker-debian
- source/Debian
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/event
- collector/usn-cve
- source/Ubuntu
- vendor/php
- canonical/php php
- version/php php/7.2.0
- version/php php/7.3.0-alpha1
- version/php php/7.3.0-alpha2
- package-manager/debian