Synology-SA-18:20 PHP

Publish Time: 2018-05-02 15:30:27 UTC+8

Last Updated: 2019-12-24 14:29:23 UTC+8

Severity
Important
Status
Resolved

Abstract

A vulnerability allows remote attackers to execute arbitrary code via a susceptible version of PHP 5.6, PHP 7.0 or DSM 5.2.

Affected Products

Product Severity Fixed Release Availability
PHP 5.6 Important Upgrade to 5.6.36-0056 or above.
PHP 7.0 Important Upgrade to 7.0.30-0026 or above.
DSM 5.2 Important Upgrade to DSM 6.0 or above and install PHP5.6.

Mitigation

If you need immediate assistance, please contact security@synology.com.

Detail

  • CVE-2018-10549
    • Severity: Important
    • CVSS3 Base Score: 7.3
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
    • An issue was discovered in PHP before 5.6.36, 7.0.x before 7.0.30, 7.1.x before 7.1.17, and 7.2.x before 7.2.5. exif_read_data in ext/exif/exif.c has an out-of-bounds read for crafted JPEG data because exif_iif_add_value mishandles the case of a MakerNote that lacks a final '\0' character.

Reference

Revision

Revision Date Description
1 2018-05-02 Initial public release.
2 2018-06-01 Update for PHP 5.6, PHP 7.0 and DSM 5.2 are now available in Affected Products.