Synology-SA-18:20 PHP
Publish Time: 2018-05-02 15:30:27 UTC+8
Last Updated: 2019-12-24 14:29:23 UTC+8
- Severity
- Important
- Status
- Resolved
Abstract
A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of PHP 5.6, PHP 7.0 or DSM 5.2.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| PHP 5.6 | Important | Upgrade to 5.6.36-0056 or above. |
| PHP 7.0 | Important | Upgrade to 7.0.30-0026 or above. |
| DSM 5.2 | Important | Upgrade to DSM 6.0 or above and install PHP5.6. |
Mitigation
If you need immediate assistance, please contact security@synology.com.
Detail
- CVE-2018-10549
- Severity: Important
- CVSS3 Base Score: 7.3
- CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character.
Reference
- MS-ISAC Releases Advisory on PHP Vulnerabilities
- Multiple Vulnerabilities in PHP Could Allow for Arbitrary Code Execution
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10549
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2018-05-02 | Initial public release. |
| 2 | 2018-06-01 | Update for PHP 5.6, PHP 7.0 and DSM 5.2 are now available in Affected Products. |