Login Sign Up

CVE-2018-11756

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in Apache OpenWhisk's PHP runtime allows attackers to replace user functions inside Docker containers if user code is vulnerable to code exploitation. It affects users running PHP actions with vulnerable Docker images. The high CVSS score reflects the potential for complete container compromise.

💻 Affected Systems

Products:
  • Apache OpenWhisk PHP Runtime
Versions: Docker tags openwhisk/action-php-v7.2:1.0.0 or earlier, openwhisk/action-php-v7.1:1.0.1 or earlier
Operating Systems: Any running Docker
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects PHP actions using the vulnerable Docker images. Requires user code to have exploitable vulnerabilities.

📦 What is this software?

Openwhisk by Apache

View all CVEs affecting Openwhisk →

Openwhisk by Apache

View all CVEs affecting Openwhisk →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete container takeover leading to arbitrary code execution, data exfiltration, and lateral movement within the OpenWhisk environment.

🟠

Likely Case

Unauthorized code execution within the compromised container, potentially affecting other functions and data in the same OpenWhisk namespace.

🟢

If Mitigated

Limited impact if proper input validation and code security practices are followed, though the vulnerability still exists at the runtime level.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires finding and leveraging vulnerabilities in user PHP code to trigger the runtime flaw.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: openwhisk/action-php-v7.2:1.0.1, openwhisk/action-php-v7.1:1.0.2

Vendor Advisory: https://lists.apache.org/thread.html/439bd5ff5822708c645a0d816ed9914b88c97eda32eae6ea211bc0dc%40%3Cdev.openwhisk.apache.org%3E

Restart Required: Yes

Instructions:

1. Update Docker images to patched versions. 2. Rebuild and redeploy all PHP actions. 3. Verify no vulnerable images remain in your registry.

🔧 Temporary Workarounds

Migrate to non-vulnerable runtime

all

Switch PHP actions to use Node.js or other runtimes temporarily

Isolate vulnerable containers

linux

Network segmentation and strict access controls for PHP action containers

🧯 If You Can't Patch

  • Implement strict input validation and sanitization in all PHP user functions
  • Deploy runtime application self-protection (RASP) or web application firewall (WAF) to detect exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Docker images used by PHP actions: docker images | grep openwhisk/action-php

Check Version:

docker inspect --format='{{.RepoTags}}' <image_id>

Verify Fix Applied:

Confirm all PHP actions use images with tags 1.0.1+ for v7.2 or 1.0.2+ for v7.1

📡 Detection & Monitoring

Log Indicators:

  • Unexpected process execution in PHP containers
  • Modified PHP function files
  • Unusual network connections from PHP containers

Network Indicators:

  • Outbound connections to unexpected destinations from PHP containers
  • Unusual traffic patterns to/from OpenWhisk controllers

SIEM Query:

container.runtime=docker AND image.name=openwhisk/action-php* AND (process.name NOT IN expected_php_processes OR network.dest_ip NOT IN allowed_ranges)

📊 Metadata

CVE ID: CVE-2018-11756
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 23, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON