CVE-2019-19204 – CVE-2019-19204 is a heap-based buffer over-read... (How to Fix)

Q: What is the severity of CVE-2019-19204?

CVE-2019-19204 has a CVSS score of 7.5 (HIGH). CVE-2019-19204 is a heap-based buffer over-read vulnerability in Oniguruma regular expression library versions 6.x before 6.9.4_rc2. This vulnerability allows attackers to read memory beyond allocated buffers, potentially leading to information disclosure or application crashes. Any software using vulnerable Oniguruma versions is affected, including various programming language implementations and text processing tools.

📋 TL;DR

CVE-2019-19204 is a heap-based buffer over-read vulnerability in Oniguruma regular expression library versions 6.x before 6.9.4_rc2. This vulnerability allows attackers to read memory beyond allocated buffers, potentially leading to information disclosure or application crashes. Any software using vulnerable Oniguruma versions is affected, including various programming language implementations and text processing tools.

💻 Affected Systems

Products:

Oniguruma library
Ruby (via Oniguruma)
PHP (via mbstring extension)
Other software embedding Oniguruma

Versions: Oniguruma 6.x versions before 6.9.4_rc2

Operating Systems: Linux, Unix-like systems, Windows (if using affected library)

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability triggers when processing specially crafted regular expressions. Applications must use the vulnerable Oniguruma library functions.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution through memory corruption leading to complete system compromise, though this requires specific memory layout conditions.

🟠

Likely Case

Application crashes (denial of service) or information disclosure through memory leaks.

🟢

If Mitigated

Limited impact with proper memory protection mechanisms like ASLR and DEP, though crashes may still occur.

🌐 Internet-Facing: MEDIUM - Many internet-facing applications use regular expression processing, but exploitation requires specific conditions.

🏢 Internal Only: LOW - Primarily affects applications processing untrusted regular expressions, less common in internal-only systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Proof-of-concept code is publicly available. Exploitation requires crafting specific regular expressions to trigger the buffer over-read.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Oniguruma 6.9.4_rc2 and later

Vendor Advisory: https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2

Restart Required: Yes

Instructions:

1. Update Oniguruma to version 6.9.4_rc2 or later. 2. Rebuild any applications linked against Oniguruma. 3. Restart affected services. 4. For packaged distributions, use system package manager updates.

🔧 Temporary Workarounds

Input Validation

all

Validate and sanitize regular expression inputs to prevent malicious patterns

Library Replacement

all

Temporarily replace Oniguruma with alternative regex libraries if possible

🧯 If You Can't Patch

Implement strict input validation for regular expressions
Use application-level firewalls to filter malicious patterns
Isolate affected systems from untrusted networks
Monitor for crash logs and memory access violations

🔍 How to Verify

Check if Vulnerable:

Check Oniguruma version: `onig-config --version` or check library files. For Ruby: `ruby -e 'require "oniguruma"; puts Oniguruma::VERSION'`

Check Version:

onig-config --version 2>/dev/null || grep -r "oniguruma" /usr/lib/*.so* /usr/local/lib/*.so* 2>/dev/null | head -5

Verify Fix Applied:

Verify version is 6.9.4_rc2 or later. Test with known malicious regex patterns to ensure no crashes.

📡 Detection & Monitoring

Log Indicators:

Application crashes with segmentation faults
Memory access violation errors
Unexpected process termination

Network Indicators:

Unusual patterns of regex processing requests
Repeated connection attempts to regex-processing endpoints

SIEM Query:

process.name:("ruby" OR "php") AND event.action:"segmentation fault" OR "memory violation"

📊 Metadata

CVE ID: CVE-2019-19204

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: November 21, 2019

Last Updated: November 21, 2024

🔗 References

https://github.com/ManhNDd/CVE-2019-19204 Exploit,Third Party Advisory
https://github.com/kkos/oniguruma/issues/162 Exploit,Patch,Third Party Advisory
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2 Release Notes
https://github.com/tarantula-team/CVE-2019-19204 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
https://usn.ubuntu.com/4460-1/
https://github.com/ManhNDd/CVE-2019-19204 Exploit,Third Party Advisory
https://github.com/kkos/oniguruma/issues/162 Exploit,Patch,Third Party Advisory
https://github.com/kkos/oniguruma/releases/tag/v6.9.4_rc2 Release Notes
https://github.com/tarantula-team/CVE-2019-19204 Third Party Advisory
https://lists.debian.org/debian-lts-announce/2019/12/msg00002.html Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/NO267PLHGYZSWX3XTRPKYBKD4J3YOU5V/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V3MBNW6Z4DOXSCNWGBLQ7OA3OGUJ44WL/
https://usn.ubuntu.com/4460-1/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19204, you might also want to check these: