CVE-2019-11036
9.1 CRITICAL
📋 TL;DR
This vulnerability in PHP's EXIF extension allows attackers to cause a buffer over-read when processing certain image files. This can lead to information disclosure or application crashes. It affects PHP applications that process EXIF metadata from uploaded images.
💻 Affected Systems
Products:
- PHP
Versions: PHP 7.1.x < 7.1.29, 7.2.x < 7.2.18, 7.3.x < 7.3.5
Operating Systems: All operating systems running affected PHP versions
Default Config Vulnerable:
⚠️ Yes
Notes: Requires EXIF extension enabled (commonly enabled by default for image processing).
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Fedora by Fedoraproject
Leap by Opensuse
Leap by Opensuse
Leap by Opensuse
Php by Php
Php by Php
Php by Php
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution through memory corruption leading to complete system compromise.
Likely Case
Information disclosure (memory contents) or denial of service through application crashes.
If Mitigated
Limited impact with proper input validation and memory protections.
🌐 Internet-Facing: HIGH - PHP applications processing user-uploaded images are common attack vectors.
🏢 Internal Only: MEDIUM - Internal applications may still process malicious images from internal sources.
🎯 Exploit Status
Public PoC:
⚠️ Yes
Weaponized:
LIKELY
Unauthenticated Exploit:
⚠️ Yes
Complexity:
MEDIUM
Exploitation requires crafting malicious image files with specific EXIF data structures.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 7.1.29, 7.2.18, 7.3.5 or later
Vendor Advisory: https://www.php.net/ChangeLog-7.php
Restart Required: Yes
Instructions:
1. Update PHP to patched version using your package manager. 2. Restart web server (Apache/Nginx) and PHP-FPM if used. 3. Verify version with php -v.
🔧 Temporary Workarounds
Disable EXIF extension
allTemporarily disable the vulnerable EXIF extension if image metadata processing is not required.
php -i | grep exif
Edit php.ini and add: extension=exif.so to ;extension=exif.so
Restart web server
Input validation for image uploads
allImplement strict file type validation and size limits for uploaded images.
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block malicious image uploads
- Isolate PHP applications in containers with limited privileges
🔍 How to Verify
Check if Vulnerable:
Run: php -v and check if version falls within affected ranges. Also check if EXIF extension is enabled: php -m | grep exifCheck Version:
php -v | head -1Verify Fix Applied:
After patching, verify php -v shows patched version and test with known malicious image samples.📡 Detection & Monitoring
Log Indicators:
- PHP segmentation fault errors
- Memory allocation errors in PHP logs
- Large number of image upload failures
Network Indicators:
- Unusual image upload patterns
- Multiple failed upload attempts with crafted files
SIEM Query:
source="php_error.log" AND ("segmentation fault" OR "buffer over-read" OR "exif_process_IFD_TAG")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- http://www.securityfocus.com/bid/108177
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299
- https://bugs.php.net/bug.php?id=77950
- https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NFXYNCXZCPYT7ZN4ZLI5EPQQW44FRRO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BY2XUUAN277LS7HKAOGL4DVGAELOJV3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WN2HLPGEZEF4MFM5YC5FILZB5QEQFP3A/
- https://seclists.org/bugtraq/2019/Sep/35
- https://seclists.org/bugtraq/2019/Sep/38
- https://security.netapp.com/advisory/ntap-20190517-0003/
- https://usn.ubuntu.com/3566-2/
- https://usn.ubuntu.com/4009-1/
- https://www.debian.org/security/2019/dsa-4527
- https://www.debian.org/security/2019/dsa-4529
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00010.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00012.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- http://www.securityfocus.com/bid/108177
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299
- https://bugs.php.net/bug.php?id=77950
- https://lists.debian.org/debian-lts-announce/2019/05/msg00035.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NFXYNCXZCPYT7ZN4ZLI5EPQQW44FRRO/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3BY2XUUAN277LS7HKAOGL4DVGAELOJV3/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WN2HLPGEZEF4MFM5YC5FILZB5QEQFP3A/
- https://seclists.org/bugtraq/2019/Sep/35
- https://seclists.org/bugtraq/2019/Sep/38
- https://security.netapp.com/advisory/ntap-20190517-0003/
- https://usn.ubuntu.com/3566-2/
- https://usn.ubuntu.com/4009-1/
- https://www.debian.org/security/2019/dsa-4527
- https://www.debian.org/security/2019/dsa-4529
