CVE-2015-8389
📋 TL;DR
This vulnerability in PCRE (Perl Compatible Regular Expressions) library allows remote attackers to cause denial of service through infinite recursion by crafting specific regular expression patterns. It affects any software using vulnerable PCRE versions, including web browsers like Konqueror and various server applications.
💻 Affected Systems
- PCRE library
- Konqueror browser
- Any software using PCRE for regex processing
📦 What is this software?
Fedora by Fedoraproject
Perl Compatible Regular Expression Library by Pcre
View all CVEs affecting Perl Compatible Regular Expression Library →
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though this is theoretical and not demonstrated in public disclosures.
Likely Case
Denial of service through application crashes or resource exhaustion when processing malicious regex patterns.
If Mitigated
Limited impact with proper input validation and updated libraries, potentially causing only temporary service disruption.
🎯 Exploit Status
Proof-of-concept demonstrates the infinite recursion pattern. Weaponization likely for DoS attacks but RCE not confirmed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PCRE 8.38 and later
Vendor Advisory: http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
Restart Required: Yes
Instructions:
1. Update PCRE library to version 8.38 or later. 2. Recompile any applications statically linked to PCRE. 3. Restart affected services.
🔧 Temporary Workarounds
Input validation for regex patterns
allValidate and sanitize regular expression inputs before processing
Limit regex complexity
allConfigure applications to limit recursion depth or timeout regex processing
🧯 If You Can't Patch
- Implement WAF rules to block known malicious regex patterns
- Isolate vulnerable systems from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check PCRE version with: pcretest -CCheck Version:
pcretest -CVerify Fix Applied:
Verify PCRE version is 8.38 or higher: pcretest -C | grep 'PCRE version'📡 Detection & Monitoring
Log Indicators:
- Application crashes
- High CPU usage from regex processing
- Stack overflow errors
Network Indicators:
- HTTP requests containing crafted regex patterns
- Unusual traffic to regex processing endpoints
SIEM Query:
source="application.log" AND ("stack overflow" OR "recursion depth" OR "PCRE")🔗 References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.securityfocus.com/bid/82990
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.securityfocus.com/bid/82990
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
