CVE-2019-11043
8.7
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N
Summary
In PHP versions 7.1.x below 7.1.33, 7.2.x below 7.2.24 and 7.3.x below 7.3.11 in certain configurations of FPM setup it is possible to cause FPM module to write past allocated buffers into the space reserved for FCGI protocol data, thus opening the possibility of remote code execution.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| PHP | PHP | 7.1.x < 7.1.33 | affected |
| PHP | PHP | 7.2.x < 7.2.24 | affected |
| PHP | PHP | 7.3.x < 7.3.11 | affected |
Weaknesses
- CWE-120: CWE-120 Buffer Overflow
Workarounds
Configuring nginx (or other server that implements the front-end part of the FPM protocol) to check for the existence of the target file before passing it to PHP FPM (e.g. "try_files $uri =404" or "if (-f $uri)" in nginx) for would prevent this vulnerability from happening.
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/neex/phuip-fpizdam
- https://bugs.php.net/bug.php?id=78599
- https://usn.ubuntu.com/4166-1/
- https://www.debian.org/security/2019/dsa-4552
- https://www.debian.org/security/2019/dsa-4553
- https://usn.ubuntu.com/4166-2/
- https://support.f5.com/csp/article/K75408500?utm_source=f5support&%3Butm_medium=RSS
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
- https://security.netapp.com/advisory/ntap-20191031-0003/
- https://access.redhat.com/errata/RHSA-2019:3286
- https://access.redhat.com/errata/RHSA-2019:3287
- https://access.redhat.com/errata/RHSA-2019:3299
- https://access.redhat.com/errata/RHSA-2019:3300
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
- https://access.redhat.com/errata/RHSA-2019:3724
- https://access.redhat.com/errata/RHSA-2019:3735
- https://access.redhat.com/errata/RHSA-2019:3736
- https://www.synology.com/security/advisory/Synology_SA_19_36
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
- https://support.apple.com/kb/HT210919
- https://seclists.org/bugtraq/2020/Jan/44
- http://seclists.org/fulldisclosure/2020/Jan/40
- https://access.redhat.com/errata/RHSA-2020:0322
- http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
- https://www.tenable.com/security/tns-2021-14
CISA ADP Vulnrichment
- SSVC:
- Exploitation: active
- Automatable: no
- Technical Impact: total
Additional References
References
- https://github.com/neex/phuip-fpizdam
- https://bugs.php.net/bug.php?id=78599
- https://usn.ubuntu.com/4166-1/
- https://www.debian.org/security/2019/dsa-4552
- https://www.debian.org/security/2019/dsa-4553
- https://usn.ubuntu.com/4166-2/
- https://support.f5.com/csp/article/K75408500?utm_source=f5support&%3Butm_medium=RSS
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/T62LF4ZWVV7OMMIZFO6IFO5QLZKK7YRD/
- https://security.netapp.com/advisory/ntap-20191031-0003/
- https://access.redhat.com/errata/RHSA-2019:3286
- https://access.redhat.com/errata/RHSA-2019:3287
- https://access.redhat.com/errata/RHSA-2019:3299
- https://access.redhat.com/errata/RHSA-2019:3300
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3W23TP6X4H7LB645FYZLUPNIRD5W3EPU/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FSNBUSPKMLUHHOADROKNG5GDWDCRHT5M/
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00011.html
- https://access.redhat.com/errata/RHSA-2019:3724
- https://access.redhat.com/errata/RHSA-2019:3735
- https://access.redhat.com/errata/RHSA-2019:3736
- https://www.synology.com/security/advisory/Synology_SA_19_36
- http://lists.opensuse.org/opensuse-security-announce/2019-11/msg00014.html
- https://support.apple.com/kb/HT210919
- https://seclists.org/bugtraq/2020/Jan/44
- http://seclists.org/fulldisclosure/2020/Jan/40
- https://access.redhat.com/errata/RHSA-2020:0322
- http://packetstormsecurity.com/files/156642/PHP-FPM-7.x-Remote-Code-Execution.html
- https://www.tenable.com/security/tns-2021-14
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.