CVE-2015-8383
📋 TL;DR
A buffer overflow vulnerability in PCRE (Perl Compatible Regular Expressions) library versions before 8.38 allows remote attackers to cause denial of service or potentially execute arbitrary code via specially crafted regular expressions. This affects any software using vulnerable PCRE versions, including web browsers like Konqueror, web servers, and applications processing untrusted regex patterns.
💻 Affected Systems
- PCRE library
- Konqueror browser
- Any software using PCRE (Apache, PHP, Python, etc.)
- Linux distributions with vulnerable packages
📦 What is this software?
Fedora by Fedoraproject
Perl Compatible Regular Expression Library by Pcre
View all CVEs affecting Perl Compatible Regular Expression Library →
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service causing application crashes or system instability when processing malicious regex patterns.
If Mitigated
Limited impact with proper input validation and regex sanitization, potentially just application crashes.
🎯 Exploit Status
Proof-of-concept demonstrated with JavaScript RegExp in Konqueror. The vulnerability is in the regex parsing engine, making exploitation straightforward with crafted patterns.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PCRE 8.38 and later
Vendor Advisory: http://rhn.redhat.com/errata/RHSA-2016-2750.html
Restart Required: Yes
Instructions:
1. Update PCRE to version 8.38 or later. 2. For Linux distributions: Use package manager (yum update pcre, apt-get upgrade libpcre3). 3. Recompile applications if using static linking. 4. Restart affected services.
🔧 Temporary Workarounds
Input Validation and Sanitization
allValidate and sanitize regular expression inputs from untrusted sources to prevent malicious patterns.
Disable Regex Processing
allTemporarily disable regex processing features in applications if not essential.
🧯 If You Can't Patch
- Implement strict input validation to reject complex or nested regex patterns from untrusted sources.
- Use web application firewalls (WAF) to block requests containing suspicious regex patterns.
🔍 How to Verify
Check if Vulnerable:
Check PCRE version: pcretest -C | grep 'PCRE version'. If version is below 8.38, system is vulnerable.Check Version:
pcretest -C | grep 'PCRE version'Verify Fix Applied:
Verify PCRE version is 8.38 or higher: pcretest -C | grep 'PCRE version'.📡 Detection & Monitoring
Log Indicators:
- Application crashes with segmentation faults
- Unusual regex processing errors
- High CPU/memory usage from regex operations
Network Indicators:
- HTTP requests containing complex regex patterns
- Unexpected traffic to regex processing endpoints
SIEM Query:
source="application.log" AND ("segmentation fault" OR "buffer overflow" OR "regex error")🔗 References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- https://access.redhat.com/errata/RHSA-2016:1132
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://rhn.redhat.com/errata/RHSA-2016-2750.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- https://access.redhat.com/errata/RHSA-2016:1132
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
