Fedora 22 : php-ZendFramework2 / php-zendframework-zendxml (2016-03c0ed3127)

2016-07-1400:00:00

www.tenable.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

0.003 Low

EPSS

Percentile

68.1%

JSON

2.4.10 (2016-05-09)

Fix HeaderValue throwing an exception on legal characters

2.4.9 (2015-11-23)

SECURITY UPDATES

ZF2015-09: Zend\Captcha\Word generates a ‘word’ for a CAPTCHA challenge by selecting a sequence of random letters from a character set. Prior to this vulnerability announcement, the selection was performed using PHP’s internal array_rand() function. This function does not generate sufficient entropy due to its usage of rand() instead of more cryptographically secure methods such as openssl_pseudo_random_bytes().
This could potentially lead to information disclosure should an attacker be able to brute force the random number generation. This release contains a patch that replaces the array_rand() calls to use Zend\Math\Rand::getInteger(), which provides better RNG.
ZF2015-10: Zend\Crypt\PublicKey\Rsa\PublicKey has a call to openssl_public_encrypt() which used PHP’s default $padding argument, which specifies OPENSSL_PKCS1_PADDING, indicating usage of PKCS1v1.5 padding. This padding has a known vulnerability, the [Bleichenbacher’s chosen-ciphertext attack](http://crypto.stackexchange.com/questions/12688/ can-you-explain-bleichenbachers-cca-attack-on-pkcs1-v1-5 ), which can be used to recover an RSA private key. This release contains a patch that changes the padding argument to use OPENSSL_PKCS1_OAEP_PADDING.

Users upgrading to this version may have issues decrypting previously stored values, due to the change in padding. If this occurs, you can pass the constant OPENSSL_PKCS1_PADDING to a new $padding argument in Zend\Crypt\PublicKey\Rsa::encrypt() and decrypt() (though typically this should only apply to the latter) :

php $decrypted = $rsa->decrypt($data, $key, $mode, OPENSSL_PKCS1_PADDING);

where $rsa is an instance of Zend\Crypt\PublicKey\Rsa.

(The $key and $mode argument defaults are null and Zend\Crypt\PublicKey\Rsa::MODE_AUTO, if you were not using them previously.)

We recommend re-encrypting any such values using the new defaults.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Fedora Security Advisory FEDORA-2016-03c0ed3127.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(92053);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/11");

  script_cve_id("CVE-2015-7503");
  script_xref(name:"FEDORA", value:"2016-03c0ed3127");

  script_name(english:"Fedora 22 : php-ZendFramework2 / php-zendframework-zendxml (2016-03c0ed3127)");
  script_summary(english:"Checks rpm output for the updated packages.");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Fedora host is missing one or more security updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"## 2.4.10 (2016-05-09)

  - Fix HeaderValue throwing an exception on legal
    characters

## 2.4.9 (2015-11-23)

### SECURITY UPDATES

  - **ZF2015-09**: `Zend\Captcha\Word` generates a 'word'
    for a CAPTCHA challenge by selecting a sequence of
    random letters from a character set. Prior to this
    vulnerability announcement, the selection was performed
    using PHP's internal `array_rand()` function. This
    function does not generate sufficient entropy due to its
    usage of `rand()` instead of more cryptographically
    secure methods such as `openssl_pseudo_random_bytes()`.
    This could potentially lead to information disclosure
    should an attacker be able to brute force the random
    number generation. This release contains a patch that
    replaces the `array_rand()` calls to use
    `Zend\Math\Rand::getInteger()`, which provides better
    RNG.

  - **ZF2015-10**: `Zend\Crypt\PublicKey\Rsa\PublicKey` has
    a call to `openssl_public_encrypt()` which used PHP's
    default `$padding` argument, which specifies
    `OPENSSL_PKCS1_PADDING`, indicating usage of PKCS1v1.5
    padding. This padding has a known vulnerability, the
    [Bleichenbacher's chosen-ciphertext
    attack](http://crypto.stackexchange.com/questions/12688/
    can-you-explain-bleichenbachers-cca-attack-on-pkcs1-v1-5
    ), which can be used to recover an RSA private key. This
    release contains a patch that changes the padding
    argument to use `OPENSSL_PKCS1_OAEP_PADDING`.

    Users upgrading to this version may have issues
    decrypting previously stored values, due to the change
    in padding. If this occurs, you can pass the constant
    `OPENSSL_PKCS1_PADDING` to a new `$padding` argument in
    `Zend\Crypt\PublicKey\Rsa::encrypt()` and `decrypt()`
    (though typically this should only apply to the 
latter) :

    ```php $decrypted = $rsa->decrypt($data, $key, $mode,
    OPENSSL_PKCS1_PADDING); ```

    where `$rsa` is an instance of
    `Zend\Crypt\PublicKey\Rsa`.

    (The `$key` and `$mode` argument defaults are `null` and
    `Zend\Crypt\PublicKey\Rsa::MODE_AUTO`, if you were not
    using them previously.)

    We recommend re-encrypting any such values using the new
    defaults.

Note that Tenable Network Security has extracted the preceding
description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as
possible without introducing additional issues."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bodhi.fedoraproject.org/updates/FEDORA-2016-03c0ed3127"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Update the affected php-ZendFramework2 and / or
php-zendframework-zendxml packages."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-ZendFramework2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:php-zendframework-zendxml");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:22");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/10/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/06/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/14");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2016-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Fedora Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
os_ver = os_ver[1];
if (! preg(pattern:"^22([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 22", "Fedora " + os_ver);

if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);


flag = 0;
if (rpm_check(release:"FC22", reference:"php-ZendFramework2-2.4.10-1.fc22")) flag++;
if (rpm_check(release:"FC22", reference:"php-zendframework-zendxml-1.0.2-2.fc22")) flag++;


if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "php-ZendFramework2 / php-zendframework-zendxml");
}

VendorProductVersionCPE
fedoraprojectfedoraphp-zendframework2p-cpe:/a:fedoraproject:fedora:php-zendframework2
fedoraprojectfedoraphp-zendframework-zendxmlp-cpe:/a:fedoraproject:fedora:php-zendframework-zendxml
fedoraprojectfedora22cpe:/o:fedoraproject:fedora:22

Vendor	Product	Version	CPE
fedoraproject	fedora	php-zendframework2	p-cpe:/a:fedoraproject:fedora:php-zendframework2
fedoraproject	fedora	php-zendframework-zendxml	p-cpe:/a:fedoraproject:fedora:php-zendframework-zendxml
fedoraproject	fedora	22	cpe:/o:fedoraproject:fedora:22