Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

CVE-2018-10545

Published: 29 April 2018

An issue was discovered in PHP before 5.6.35, 7.0.x before 7.0.29, 7.1.x before 7.1.16, and 7.2.x before 7.2.4. Dumpable FPM child processes allow bypassing opcache access controls because fpm_unix.c makes a PR_SET_DUMPABLE prctl call, allowing one user (in a multiuser environment) to obtain sensitive information from the process memory of a second user's PHP applications by running gcore on the PID of the PHP-FPM worker process.

Priority

Medium

Cvss 3 Severity Score

4.7

Score breakdown

Status

Package Release Status
php5
Launchpad, Ubuntu, Debian
upstream
Released (5.6.35)
trusty
Released (5.5.9+dfsg-1ubuntu4.25)
xenial Does not exist

artful Does not exist

bionic Does not exist

Patches:
upstream: https://github.com/php/php-src/commit/d20bebfe1340986f795769e2ad6810f36eadf2ca
php7.0
Launchpad, Ubuntu, Debian
upstream
Released (7.0.29)
trusty Does not exist

xenial
Released (7.0.30-0ubuntu0.16.04.1)
artful Does not exist

bionic Does not exist

php7.1
Launchpad, Ubuntu, Debian
upstream
Released (7.1.16)
trusty Does not exist

xenial Does not exist

artful
Released (7.1.17-0ubuntu0.17.10.1)
bionic Does not exist

php7.2
Launchpad, Ubuntu, Debian
upstream
Released (7.2.4)
trusty Does not exist

xenial Does not exist

artful Does not exist

bionic
Released (7.2.5-0ubuntu0.18.04.1)

Severity score breakdown

Parameter Value
Base score 4.7
Attack vector Local
Attack complexity High
Privileges required Low
User interaction None
Scope Unchanged
Confidentiality High
Integrity impact None
Availability impact None
Vector CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N