CVE-2015-8394
📋 TL;DR
This vulnerability in PCRE (Perl Compatible Regular Expressions) library allows remote attackers to cause integer overflow via crafted regular expressions containing specific conditional patterns. This can lead to denial of service or potentially arbitrary code execution. Affects any software using vulnerable PCRE versions, including web browsers like Konqueror and various server applications.
💻 Affected Systems
- PCRE library
- Konqueror browser
- Software using PCRE (Apache, PHP, Python, etc.)
📦 What is this software?
Perl Compatible Regular Expression Library by Pcre
View all CVEs affecting Perl Compatible Regular Expression Library →
Php by Php
Php by Php
Php by Php
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise
Likely Case
Denial of service through application crashes or resource exhaustion
If Mitigated
Limited impact with proper input validation and sandboxing
🎯 Exploit Status
Proof-of-concept demonstrated with JavaScript RegExp in Konqueror; similar exploitation possible in other contexts
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PCRE 8.38 and later
Vendor Advisory: http://www.openwall.com/lists/oss-security/2015/11/29/1
Restart Required: Yes
Instructions:
1. Update PCRE to version 8.38 or later
2. Recompile applications using PCRE
3. Restart affected services
🔧 Temporary Workarounds
Input validation
allValidate and sanitize regular expression patterns from untrusted sources
PCRE compile-time options
linuxUse PCRE_NO_AUTO_CAPTURE or limit recursion depth
Configure with --disable-auto-capture-setup during compilation
🧯 If You Can't Patch
- Implement strict input validation for regex patterns
- Use WAF rules to block malicious regex patterns
🔍 How to Verify
Check if Vulnerable:
Check PCRE version: pcretest -C | grep 'PCRE version'Check Version:
pcretest -C | grep 'PCRE version'Verify Fix Applied:
Verify version is 8.38 or higher: pcretest -C📡 Detection & Monitoring
Log Indicators:
- Application crashes
- Memory exhaustion errors
- Unusual regex processing patterns
Network Indicators:
- HTTP requests containing complex regex patterns
- Unexpected application termination
SIEM Query:
search 'PCRE overflow' OR 'regex crash' OR 'application terminated unexpectedly'🔗 References
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.securityfocus.com/bid/82990
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
- http://lists.fedoraproject.org/pipermail/package-announce/2016-January/174931.html
- http://vcs.pcre.org/pcre/code/trunk/ChangeLog?view=markup
- http://www.openwall.com/lists/oss-security/2015/11/29/1
- http://www.securityfocus.com/bid/82990
- https://bto.bluecoat.com/security-advisory/sa128
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05240731
- https://security.gentoo.org/glsa/201607-02
- https://security.netapp.com/advisory/ntap-20230216-0002/
