A type confusion issue was found in the SPL ArrayObject and SPLObjectStorage classes' unserialize() method. A remote attacker able to submit specially crafted input to a PHP application, which would then unserialize this input using one of the aforementioned methods, could use this flaw to execute arbitrary code with the privileges of the user running that PHP application.
Find out more about CVE-2014-3515 from the MITRE CVE dictionary dictionary and NIST NVD.
This issue did not affect the versions of php as shipped with Red Hat Enterprise Linux 5.
| Base Score | 5.1 |
|---|---|
| Base Metrics | AV:N/AC:H/Au:N/C:P/I:P/A:P |
| Access Vector | Network |
| Access Complexity | High |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | Partial |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 5 (php53) | RHSA-2014:1012 | 2014-08-06 |
| Red Hat Enterprise Linux 6 (php) | RHSA-2014:1012 | 2014-08-06 |
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 (php55-php) | RHSA-2014:1766 | 2014-10-30 |
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 6 (php54-php) | RHSA-2014:1765 | 2014-10-30 |
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 (php54-php) | RHSA-2014:1765 | 2014-10-30 |
| Red Hat Software Collections 1 for Red Hat Enterprise Linux 7 (php55-php) | RHSA-2014:1766 | 2014-10-30 |
| Red Hat Enterprise Linux 7 (php) | RHSA-2014:1013 | 2014-08-06 |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 5 | php | Not affected |
Vulmon