cve-2015-8994
Vulnerability from cvelistv5
Published
2017-03-02 06:00
Modified
2024-08-06 08:36
Severity ?
EPSS score ?
Summary
An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode ("opcode" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script's filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user's script usually means gaining privileges to the CMS database.
References
| ▼ | URL | Tags | |
|---|---|---|---|
| cve@mitre.org | http://marc.info/?l=php-internals&m=147876797317925&w=2 | Mailing List | |
| cve@mitre.org | http://marc.info/?l=php-internals&m=147921016724565&w=2 | Mailing List | |
| cve@mitre.org | http://openwall.com/lists/oss-security/2017/02/28/1 | Mailing List | |
| cve@mitre.org | http://seclists.org/oss-sec/2016/q4/343 | Mailing List, Third Party Advisory | |
| cve@mitre.org | http://seclists.org/oss-sec/2017/q1/520 | Mailing List, Third Party Advisory | |
| cve@mitre.org | https://bugs.php.net/bug.php?id=69090 | Exploit, Issue Tracking | |
| cve@mitre.org | https://ma.ttias.be/a-better-way-to-run-php-fpm/ | Exploit, Technical Description, Third Party Advisory |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-06T08:36:31.549Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://openwall.com/lists/oss-security/2017/02/28/1"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2017/q1/520"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://marc.info/?l=php-internals\u0026m=147921016724565\u0026w=2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://ma.ttias.be/a-better-way-to-run-php-fpm/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://marc.info/?l=php-internals\u0026m=147876797317925\u0026w=2"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "http://seclists.org/oss-sec/2016/q4/343"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://bugs.php.net/bug.php?id=69090"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"datePublic": "2017-03-02T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode (\"opcode\" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script\u0027s filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user\u0027s script usually means gaining privileges to the CMS database."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-03-02T05:57:01",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "http://openwall.com/lists/oss-security/2017/02/28/1"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2017/q1/520"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://marc.info/?l=php-internals\u0026m=147921016724565\u0026w=2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://ma.ttias.be/a-better-way-to-run-php-fpm/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://marc.info/?l=php-internals\u0026m=147876797317925\u0026w=2"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "http://seclists.org/oss-sec/2016/q4/343"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://bugs.php.net/bug.php?id=69090"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2015-8994",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode (\"opcode\" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script\u0027s filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user\u0027s script usually means gaining privileges to the CMS database."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "http://openwall.com/lists/oss-security/2017/02/28/1",
"refsource": "MISC",
"url": "http://openwall.com/lists/oss-security/2017/02/28/1"
},
{
"name": "http://seclists.org/oss-sec/2017/q1/520",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2017/q1/520"
},
{
"name": "http://marc.info/?l=php-internals\u0026m=147921016724565\u0026w=2",
"refsource": "MISC",
"url": "http://marc.info/?l=php-internals\u0026m=147921016724565\u0026w=2"
},
{
"name": "https://ma.ttias.be/a-better-way-to-run-php-fpm/",
"refsource": "MISC",
"url": "https://ma.ttias.be/a-better-way-to-run-php-fpm/"
},
{
"name": "http://marc.info/?l=php-internals\u0026m=147876797317925\u0026w=2",
"refsource": "MISC",
"url": "http://marc.info/?l=php-internals\u0026m=147876797317925\u0026w=2"
},
{
"name": "http://seclists.org/oss-sec/2016/q4/343",
"refsource": "MISC",
"url": "http://seclists.org/oss-sec/2016/q4/343"
},
{
"name": "https://bugs.php.net/bug.php?id=69090",
"refsource": "MISC",
"url": "https://bugs.php.net/bug.php?id=69090"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2015-8994",
"datePublished": "2017-03-02T06:00:00",
"dateReserved": "2017-02-28T00:00:00",
"dateUpdated": "2024-08-06T08:36:31.549Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2015-8994\",\"sourceIdentifier\":\"cve@mitre.org\",\"published\":\"2017-03-02T06:59:00.167\",\"lastModified\":\"2022-08-16T13:16:57.330\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"An issue was discovered in PHP 5.x and 7.x, when the configuration uses apache2handler/mod_php or php-fpm with OpCache enabled. With 5.x after 5.6.28 or 7.x after 7.0.13, the issue is resolved in a non-default configuration with the opcache.validate_permission=1 setting. The vulnerability details are as follows. In PHP SAPIs where PHP interpreters share a common parent process, Zend OpCache creates a shared memory object owned by the common parent during initialization. Child PHP processes inherit the SHM descriptor, using it to cache and retrieve compiled script bytecode (\\\"opcode\\\" in PHP jargon). Cache keys vary depending on configuration, but filename is a central key component, and compiled opcode can generally be run if a script\u0027s filename is known or can be guessed. Many common shared-hosting configurations change EUID in child processes to enforce privilege separation among hosted users (for example using mod_ruid2 for the Apache HTTP Server, or php-fpm user settings). In these scenarios, the default Zend OpCache behavior defeats script file permissions by sharing a single SHM cache among all child PHP processes. PHP scripts often contain sensitive information: Think of CMS configurations where reading or running another user\u0027s script usually means gaining privileges to the CMS database.\"},{\"lang\":\"es\",\"value\":\"Se ha descubierto un problema en PHP 5.x y 7.x, cuando la configuraci\u00f3n utiliza apache2handler/mod_php o php-fpm con OpCache habilitado. Con 5.x despu\u00e9s de la versi\u00f3n 5.6.28 o 7.x despu\u00e9s de la versi\u00f3n 7.0.13, el problema se resuelve en una configuraci\u00f3n no predeterminada con el ajuste opcache.validate_permission=1. Los detalles de la vulnerabilidad son los siguientes. En PHP SAPIs donde los int\u00e9rpretes PHP comparten un proceso padre com\u00fan, Zend OpCache crea un objeto de memoria compartido propiedad del padre com\u00fan durante la inicializaci\u00f3n. Los procesos Child PHP heredan el descriptor SHM, us\u00e1ndolo para almacenar en cach\u00e9 y recuperar la secuencia de comandos de bytecode (\\\"opcode\\\" en jerga PHP ). Las claves de cach\u00e9 var\u00edan dependiendo de la configuraci\u00f3n, pero el nombre del archivo es un componente clave central y el c\u00f3digo de operaci\u00f3n compilado puede ejecutarse generalmente si un nombre de archivo de la secuencia de comandos es conocido o puede ser adivinado. Muchas configuraciones comunes de alojamiento compartido cambian el EUID en los procesos hijo para forzar la separaci\u00f3n de privilegios entre los usuarios invitados (por ejemplo usando mod_ruid2 para el servidor HTTP de Apache o la configuraci\u00f3n de usuario php-fpm). En estos escenarios, el comportamiento predeterminado de Zend OpCache invalida los permisos del archivo de secuencia de comandos compartiendo una sola cach\u00e9 SHM entre todos los procesos hijo PHP. Las secuencias de comandos PHP a menudo contiene informaci\u00f3n sensible: las configuraciones de Think of CMS donde leen o ejecutan las secuencias de comandos de otros usuarios generalmente significa obtener privilegios de la base de datos CMS.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\"},\"exploitabilityScore\":1.6,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:M/Au:N/C:P/I:P/A:P\",\"accessVector\":\"NETWORK\",\"accessComplexity\":\"MEDIUM\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\",\"baseScore\":6.8},\"baseSeverity\":\"MEDIUM\",\"exploitabilityScore\":8.6,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"5.0.0\",\"versionEndIncluding\":\"5.6.29\",\"matchCriteriaId\":\"0B8F76E6-7BD5-4532-B99E-25CE01A739B7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:php:php:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"7.0.0\",\"versionEndExcluding\":\"7.0.14\",\"matchCriteriaId\":\"1CEBCBE0-832F-4164-BAA8-63ACC07AF862\"}]}]}],\"references\":[{\"url\":\"http://marc.info/?l=php-internals\u0026m=147876797317925\u0026w=2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://marc.info/?l=php-internals\u0026m=147921016724565\u0026w=2\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://openwall.com/lists/oss-security/2017/02/28/1\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\"]},{\"url\":\"http://seclists.org/oss-sec/2016/q4/343\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"http://seclists.org/oss-sec/2017/q1/520\",\"source\":\"cve@mitre.org\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://bugs.php.net/bug.php?id=69090\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Issue Tracking\"]},{\"url\":\"https://ma.ttias.be/a-better-way-to-run-php-fpm/\",\"source\":\"cve@mitre.org\",\"tags\":[\"Exploit\",\"Technical Description\",\"Third Party Advisory\"]}]}}"
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.