CVE-2015-9253

Ubuntu Security Notice USN-5300-1

Severity Score

6.5

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

An issue was discovered in PHP 7.3.x before 7.3.0alpha3, 7.2.x before 7.2.8, and before 7.1.20. The php-fpm master process restarts a child process in an endless loop when using program execution functions (e.g., passthru, exec, shell_exec, or system) with a non-blocking STDIN stream, causing this master process to consume 100% of the CPU, and consume disk space with a large volume of error logs, as demonstrated by an attack by a customer of a shared-hosting facility.

Se ha descubierto un problema en PHP en versiones 7.3.x anteriores a la 7.3.0alpha3, versiones 7.2.x anteriores a la 7.2.8 y anteriores a la 7.1.20. El proceso maestro php-fpm reinicia un proceso hijo en un bucle infinito cuando se utilizan funciones de ejecución de programas (por ejemplo, passthru, exec, shell_exec o system) con un flujo non-blocking-STDIN y consumir el espacio del disco con un gran volumen de logs de error, tal y como queda demostrado con un ataque a un cliente de una instalación de alojamiento compartido.

USN-4279-1 fixed vulnerabilities in PHP. The updated packages caused a regression. This update fixes the problem. It was discovered that PHP incorrectly handled certain scripts. An attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 ESM, Ubuntu 14.04 ESM and Ubuntu 16.04 LTS. It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to expose sensitive information. It was discovered that PHP incorrectly handled certain inputs. An attacker could possibly use this issue to execute arbitrary code. This issue only affected Ubuntu 14.04 ESM, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS and Ubuntu 19.10. Various other issues were also addressed.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2018-02-19 CVE Reserved
2018-02-19 CVE Published
2024-08-06 CVE Updated
2024-08-06 First Exploit
2025-05-04 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (8)

URL	Tag	Source
https://github.com/php/php-src/blob/PHP-7.1.20/NEWS#L20-L22	Third Party Advisory

URL	Date	SRC
https://bugs.php.net/bug.php?id=70185	2024-08-06
https://bugs.php.net/bug.php?id=73342https://github.com/php/php-src/pull/3287	2024-08-06
https://bugs.php.net/bug.php?id=75968	2024-08-06
https://www.futureweb.at/security/CVE-2015-9253	2024-08-06

URL	Date	SRC
https://github.com/php/php-src/commit/69dee5c732fe982c82edb17d0dbc3e79a47748d8	2020-02-19

URL	Date	SRC
https://usn.ubuntu.com/3766-1	2020-02-19
https://usn.ubuntu.com/4279-1	2020-02-19

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				< 7.1.20 Search vendor "Php" for product "Php" and version " < 7.1.20"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				>= 7.2.0 < 7.2.8 Search vendor "Php" for product "Php" and version " >= 7.2.0 < 7.2.8"		-		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				7.3.0 Search vendor "Php" for product "Php" and version "7.3.0"		alpha1		Affected
Php Search vendor "Php"		Php Search vendor "Php" for product "Php"				7.3.0 Search vendor "Php" for product "Php" and version "7.3.0"		alpha2		Affected