Think you have a false positive on this rule?

Sid 1-44746

Message

SERVER-WEBAPP PHP unserialize call SPL ArrayObject and SPLObjectStorage memory corruption attempt

Summary

This event is generated when a memory corruption attempt is detected in PHP unserialize.

Impact

Attempted User Privilege Gain

CVE-2014-3515:

CVSS base score 7.5

CVSS impact score 6.4

CVSS exploitability score 10.0

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

Detailed information

CVE-2014-3515: The SPL component in PHP before 5.4.30 and 5.5.x before 5.5.14 incorrectly anticipates that certain data structures will have the array data type after unserialization, which allows remote attackers to execute arbitrary code via a crafted string that triggers use of a Hashtable destructor, related to "type confusion" issues in (1) ArrayObject and (2) SPLObjectStorage.

Affected systems

  • php php 5.4.0
  • php php 5.4.1
  • php php 5.4.2
  • php php 5.4.3
  • php php 5.4.4
  • php php 5.4.5
  • php php 5.4.6
  • php php 5.4.7
  • php php 5.4.8
  • php php 5.4.9
  • php php 5.4.10
  • php php 5.4.11
  • php php 5.4.12
  • php php 5.4.13
  • php php 5.4.14
  • php php 5.4.15
  • php php 5.4.16
  • php php 5.4.17
  • php php 5.4.18
  • php php 5.4.19
  • php php 5.4.20
  • php php 5.4.21
  • php php 5.4.22
  • php php 5.4.23
  • php php 5.4.24
  • php php 5.4.25
  • php php 5.4.26
  • php php 5.4.27
  • php php 5.4.28
  • php php 5.4.29
  • php php 5.5.0
  • php php 5.5.1
  • php php 5.5.2
  • php php 5.5.3
  • php php 5.5.4
  • php php 5.5.5
  • php php 5.5.6
  • php php 5.5.7
  • php php 5.5.8
  • php php 5.5.9
  • php php 5.5.10
  • php php 5.5.11
  • php php 5.5.12
  • php php 5.5.13

Ease of attack

CVE-2014-3515:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References