First published: Sat Dec 29 2018(Updated: )
An issue was discovered in PHP 7.x before 7.1.26, 7.2.x before 7.2.14, and 7.3.x before 7.3.2. dns_get_record misparses a DNS response, which can allow a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data. This affects php_parserr in ext/standard/dns.c for DNS_CAA and DNS_ANY queries.
Credit: cve@mitre.org cve@mitre.org cve@mitre.org
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/rh-php71-php | <0:7.1.30-1.el7 | 0:7.1.30-1.el7 |
redhat/rh-php72-php | <0:7.2.24-1.el7 | 0:7.2.24-1.el7 |
PHP PHP | >=7.0.0<7.1.26 | |
PHP PHP | >=7.2.0<7.2.14 | |
PHP PHP | >=7.3.0<7.3.2 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
Canonical Ubuntu Linux | =12.04 | |
Canonical Ubuntu Linux | =14.04 | |
Canonical Ubuntu Linux | =16.04 | |
Netapp Storage Automation Store | ||
PHP PHP | <7.1.26 | 7.1.26 |
redhat/php | <7.1.26 | 7.1.26 |
redhat/php | <7.2.14 | 7.2.14 |
redhat/php | <7.3.1 | 7.3.1 |
debian/php5 | ||
debian/php7.0 | ||
debian/php7.3 | ||
>=7.0.0<7.1.26 | ||
>=7.2.0<7.2.14 | ||
>=7.3.0<7.3.2 | ||
=8.0 | ||
=9.0 | ||
=12.04 | ||
=14.04 | ||
=16.04 | ||
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
(Appears in the following advisories)
The vulnerability ID is CVE-2019-9022.
The severity of CVE-2019-9022 is high, with a severity value of 7.5.
PHP versions before 7.1.26, 7.2.14, and 7.3.2 are affected.
CVE-2019-9022 allows a hostile DNS server to cause PHP to misuse memcpy, leading to read operations going past the buffer allocated for DNS data.
Yes, updating PHP to version 7.1.26, 7.2.14, or 7.3.2 will fix the vulnerability.