CVE-2019-11048: Temporary files are not cleaned after OOM when parsing HTTP request data
First published: Mon May 11 2020(Updated: )
A flaw was found in PHP under a non-default configuration, where it was vulnerable to integer wraparounds during the reception of a multipart POST request. This flaw allows a remote attacker to repeatedly crash PHP and fill the filesystem with temporary PHP files, resulting in a denial of service.
Credit: security@php.net security@php.net
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/rh-php73-php | <0:7.3.20-1.el7 | 0:7.3.20-1.el7 |
| PHP PHP | >=7.2.0<7.2.31 | |
| PHP PHP | >=7.3.0<7.3.18 | |
| PHP PHP | >=7.4.0<7.4.6 | |
| PHP PHP | <7.2.31 | 7.2.31 |
| redhat/php | <7.3.18 | 7.3.18 |
| redhat/php | <7.2.31 | 7.2.31 |
| redhat/php | <7.4.6 | 7.4.6 |
| ubuntu/php5 | <5.5.9+dfsg-1ubuntu4.29+ | 5.5.9+dfsg-1ubuntu4.29+ |
| ubuntu/php7.0 | <7.0.33-0ubuntu0.16.04.15 | 7.0.33-0ubuntu0.16.04.15 |
| ubuntu/php7.2 | <7.2.24-0ubuntu0.18.04.6 | 7.2.24-0ubuntu0.18.04.6 |
| ubuntu/php7.2 | <7.2.31 | 7.2.31 |
| ubuntu/php7.3 | <7.3.11-0ubuntu0.19.10.6 | 7.3.11-0ubuntu0.19.10.6 |
| ubuntu/php7.3 | <7.3.18 | 7.3.18 |
| ubuntu/php7.4 | <7.4.3-4ubuntu2.2 | 7.4.3-4ubuntu2.2 |
| ubuntu/php7.4 | <7.4.6 | 7.4.6 |
| debian/php7.4 | 7.4.33-1+deb11u5 |
Remedy
Ensure that `post_max_size` is set to a value less than 2GB, or remains default.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2019-11048 https://nvd.nist.gov/vuln/detail/CVE-2019-11048
- https://bugzilla.redhat.com/show_bug.cgi?id=1837842
- https://access.redhat.com/errata/RHSA-2020:3662
- https://access.redhat.com/errata/RHSA-2020:5275
- https://access.redhat.com/security/cve/cve-2019-11048
- https://bugs.php.net/78875
- https://bugs.php.net/78876
- https://github.com/php/php-src/commit/f43041250f82ed69bd4575655984fbfc842da266
- https://github.com/php/php-src/commit/1c9bd513ac5c7c1d13d7f0dfa7c16a7ad2ce0f87
- https://github.com/php/php-src/commit/a3924ab6542a358a3099de992b63b932a9570add
- https://security-tracker.debian.org/tracker/CVE-2019-11048
- http://lists.opensuse.org/opensuse-security-announce/2020-06/msg00045.html
- https://bugs.php.net/bug.php?id=78875
- https://bugs.php.net/bug.php?id=78876
- https://lists.debian.org/debian-lts-announce/2020/06/msg00033.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/
- https://security.netapp.com/advisory/ntap-20200528-0006/
- https://usn.ubuntu.com/4375-1/
- https://www.debian.org/security/2020/dsa-4717
- https://www.debian.org/security/2020/dsa-4719
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuoct2020.html
- https://www.tenable.com/security/tns-2021-14
- https://www.php.net/ChangeLog-7.php#7.2.31 (Advisory)
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1837843
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OBA3TFZSP3TB5N4G24SO6BI64RJZXE3D/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XMDUQ7XFONY3BWTAQQUD3QUGZT6NFZUF/
- https://ubuntu.com/security/notices/USN-4375-1
- https://www.cve.org/CVERecord?id=CVE-2019-11048
- https://nvd.nist.gov/vuln/detail/CVE-2019-11048
- https://launchpad.net/bugs/cve/CVE-2019-11048
- https://github.com/microsoft/php-src/commit/a41cbed4532cc4d3d2fd1a8fa1a4ace5bdfcafc9#diff-eb2caada78cc7ed9dbeabe07d25eecf4
- https://ubuntu.com/security/CVE-2019-11048
Frequently Asked Questions
What is CVE-2019-11048?
CVE-2019-11048 is a vulnerability in PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18, and 7.4.x below 7.4.6 that could allow memory allocation errors when handling overly long filenames or field names in HTTP file uploads.
How does CVE-2019-11048 affect PHP?
CVE-2019-11048 affects PHP versions 7.2.x below 7.2.31, 7.3.x below 7.3.18, and 7.4.x below 7.4.6 when HTTP file uploads are allowed.
What is the severity of CVE-2019-11048?
The severity rating of CVE-2019-11048 is high with a CVSS severity score of 7.5.
How can I fix CVE-2019-11048?
To fix CVE-2019-11048, you should update your PHP installation to version 7.2.31, 7.3.18, or 7.4.6 depending on the affected version range.
Where can I find more information about CVE-2019-11048?
You can find more information about CVE-2019-11048 on the official PHP bug tracker and Red Hat Bugzilla.
- collector/redhat-cve
- collector/nvd-index
- agent/type
- collector/php-changelog
- source/PHP
- agent/software-canonical-lookup
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-11048
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/last-modified-date
- agent/severity
- agent/first-publish-date
- collector/usn-cve
- source/Ubuntu
- agent/references
- agent/remedy
- agent/description
- collector/launchpad-cve
- source/Launchpad
- collector/security-tracker-debian
- source/Debian
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- agent/softwarecombine
- agent/event
- agent/trending
- package-manager/redhat
- vendor/php
- canonical/php php
- version/php php/7.2.0
- version/php php/7.3.0
- version/php php/7.4.0
- package-manager/ubuntu
- package-manager/debian