External risk intelligence

PHP PHAR reading vulnerability could allow attackers to access sensitive memory

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2019-9021

A critical flaw in PHP allows attackers to read sensitive memory by providing a specially crafted file name, potentially exposing confidential data in widely used web applications.

4Halo Surface Signal

Out-of-bounds Read

Php

before 5.6.407.0.0 to before 7.1.267.2.0 to before 7.2.147.3.0 to before 7.3.19.012.0414.0416.0442.3

External exposure likelihood

Halo Surface Signal score for CVE-2019-9021

The vulnerability exists in PHP, a widely deployed web application server technology. The flaw is triggered when the application parses user-supplied file names or handles uploaded files. Because PHP-based web applications are commonly exposed to the public internet to handle user requests and file interactions, the attack surface is frequently reachable in typical web deployment patterns.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An issue in PHP's PHAR extension could allow an attacker to read sensitive information from memory. This is important because it could expose confidential data when processing file names or uploaded files.

  • Can lead to disclosure of sensitive information.
  • Affects applications processing files.
  • Reachable from the internet.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted file name to a PHP application that processes PHAR archives. This could allow them to read sensitive information from memory, potentially leading to further compromise.

  • No authentication required.
  • Targets PHAR file processing.
  • Requires user-supplied file name.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in PHP's PHAR extension allows attackers to read memory beyond allocated data, which could lead to information disclosure or crashes. Given that PHP is extensively used in web applications, and this flaw is reachable through file parsing, exploitation is a plausible threat, especially if public exploit code emerges.

  • PHAR parsing affects file handling.
  • No public exploit reported yet.
  • Published in early 2019.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize updating PHP to versions 5.6.40, 7.1.26, 7.2.14, or 7.3.1, as this critical vulnerability allows unauthenticated attackers to read sensitive memory. If immediate patching is not possible, isolate affected systems from untrusted networks to prevent exploitation.

  • Update PHP to latest patch version.
  • Isolate vulnerable services if patching is delayed.
  • Monitor for unexpected memory reads.

Frequently asked questions

What is the PHP PHAR extension and what is it used for?

The PHAR extension in PHP is used to create and manage Phar archives, which are a way to package PHP code and assets for distribution. It allows developers to bundle applications and their dependencies into a single file, similar to how ZIP or TAR files work, and can be used for features like code deployment and creating executable PHP applications.

What kind of weakness does CVE-2019-9021 represent?

CVE-2019-9021 represents a heap-based buffer over-read weakness (CWE-125). This means that the software reads more data from its memory buffer than was intended, potentially accessing sensitive information from adjacent memory locations or causing application instability.

How can an attacker trigger this PHP vulnerability?

An attacker can trigger this vulnerability by providing a specially crafted file name when the PHP application is processing a PHAR archive. The vulnerability occurs during the detection of the file name extension within the PHAR reading functions, allowing the attacker to read memory beyond the intended data.

Who should be concerned about CVE-2019-9021, considering its reachability?

Organizations using PHP, especially for internet-facing web applications that handle file uploads or process PHAR files, should be concerned. The Halo Surface Signal indicates this vulnerability is 'Likely' to be exploited because PHP is widely deployed in web applications, and the flaw is reachable through user-supplied file names in common web interaction patterns.

What is the first step to address this PHP vulnerability?

The primary step to address this vulnerability is to update PHP to a patched version. Specifically, users should upgrade to PHP versions 5.6.40, 7.1.26, 7.2.14, or 7.3.1, or later, to fix the issue in the PHAR extension.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified