Vulnerability Description
The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an unexpected data type, related to "type confusion" issues in the (1) SoapClient::__getLastRequest, (2) SoapClient::__getLastResponse, (3) SoapClient::__getLastRequestHeaders, (4) SoapClient::__getLastResponseHeaders, (5) SoapClient::__getCookies, and (6) SoapClient::__setCookie methods.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Enterprise Linux Desktop | 7.0 |
| Redhat | Enterprise Linux Hpc Node | 7.0 |
| Redhat | Enterprise Linux Hpc Node Eus | 7.1 |
| Redhat | Enterprise Linux Server | 7.0 |
| Redhat | Enterprise Linux Server Eus | 7.1 |
| Redhat | Enterprise Linux Workstation | 7.0 |
| Php | Php | <= 5.4.39 |
References
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=0c136a2abd49298b66acb0cad504f0f
- http://php.net/ChangeLog-5.php
- http://rhn.redhat.com/errata/RHSA-2015-1135.html
- http://rhn.redhat.com/errata/RHSA-2015-1218.html
- http://www.openwall.com/lists/oss-security/2015/06/16/12
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.h
- http://www.securityfocus.com/bid/74413
- http://www.securitytracker.com/id/1032709
- https://bugs.php.net/bug.php?id=69152Exploit
- http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=0c136a2abd49298b66acb0cad504f0f
- http://php.net/ChangeLog-5.php
- http://rhn.redhat.com/errata/RHSA-2015-1135.html
- http://rhn.redhat.com/errata/RHSA-2015-1218.html
- http://www.openwall.com/lists/oss-security/2015/06/16/12
- http://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.h
FAQ
What is CVE-2015-4600?
CVE-2015-4600 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The SoapClient implementation in PHP before 5.4.40, 5.5.x before 5.5.24, and 5.6.x before 5.6.8 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary c...
How severe is CVE-2015-4600?
CVE-2015-4600 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2015-4600?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Hpc Node, Redhat Enterprise Linux Hpc Node Eus, Redhat Enterprise Linux Server, Redhat Enterprise Linux Server Eus.