CVE-2019-11035
📋 TL;DR
This vulnerability in PHP's EXIF extension allows attackers to cause buffer over-reads when processing certain image files. This can lead to information disclosure or application crashes. Affects PHP versions 7.1.x below 7.1.28, 7.2.x below 7.2.17, and 7.3.x below 7.3.4.
💻 Affected Systems
- PHP
📦 What is this software?
Leap by Opensuse
Leap by Opensuse
Leap by Opensuse
Php by Php
Php by Php
Php by Php
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, though this is unlikely given the CWE-125 classification.
Likely Case
Information disclosure (memory contents) or denial of service through application crashes.
If Mitigated
Limited impact if proper input validation and memory protections are in place.
🎯 Exploit Status
Exploitation requires uploading or processing malicious image files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 7.1.28, 7.2.17, 7.3.4
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:2519
Restart Required: Yes
Instructions:
1. Update PHP to patched version using package manager. 2. Restart web server (Apache/Nginx). 3. Restart PHP-FPM if applicable.
🔧 Temporary Workarounds
Disable EXIF extension
allDisable the vulnerable EXIF extension if not required.
php -i | grep exif
Edit php.ini: extension=exif.so to ;extension=exif.so
Restrict image uploads
allImplement strict file type validation and size limits for image uploads.
🧯 If You Can't Patch
- Implement WAF rules to block malicious image upload patterns.
- Isolate PHP applications in containers with limited privileges.
🔍 How to Verify
Check if Vulnerable:
Check PHP version and EXIF extension status: php -v && php -m | grep exifCheck Version:
php -vVerify Fix Applied:
Confirm PHP version is at or above patched versions and EXIF extension is either disabled or updated.📡 Detection & Monitoring
Log Indicators:
- PHP segmentation fault logs
- Web server error logs showing EXIF processing failures
Network Indicators:
- Unusual image upload patterns to PHP endpoints
SIEM Query:
source="php_error.log" AND ("segmentation fault" OR "exif")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299
- https://bugs.php.net/bug.php?id=77831
- https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
- https://seclists.org/bugtraq/2019/Sep/38
- https://security.netapp.com/advisory/ntap-20190502-0001/
- https://support.f5.com/csp/article/K44590877
- https://usn.ubuntu.com/3953-1/
- https://usn.ubuntu.com/3953-2/
- https://www.debian.org/security/2019/dsa-4529
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299
- https://bugs.php.net/bug.php?id=77831
- https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
- https://seclists.org/bugtraq/2019/Sep/38
- https://security.netapp.com/advisory/ntap-20190502-0001/
- https://support.f5.com/csp/article/K44590877
- https://usn.ubuntu.com/3953-1/
- https://usn.ubuntu.com/3953-2/
- https://www.debian.org/security/2019/dsa-4529
