CVE-2019-9020
📋 TL;DR
This vulnerability in PHP's xmlrpc_decode() function allows attackers to trigger invalid memory access (heap out-of-bounds read or read-after-free) by providing malicious input. This can potentially lead to information disclosure, denial of service, or remote code execution. Affects PHP applications using the XML-RPC extension across multiple PHP versions.
💻 Affected Systems
- PHP
📦 What is this software?
Leap by Opensuse
Php by Php
Php by Php
Php by Php
Php by Php
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Denial of service causing application crashes or information disclosure through memory leaks.
If Mitigated
Limited impact with proper input validation and memory protection mechanisms in place.
🎯 Exploit Status
Exploitation requires sending specially crafted XML-RPC requests to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PHP 5.6.40, 7.1.26, 7.2.14, 7.3.1
Vendor Advisory: https://www.php.net/ChangeLog-7.php#7.3.1
Restart Required: Yes
Instructions:
1. Identify PHP version (php -v). 2. Update PHP using your package manager (apt-get update && apt-get upgrade php for Debian/Ubuntu, yum update php for RHEL/CentOS). 3. Restart web server (systemctl restart apache2/nginx). 4. Verify update with php -v.
🔧 Temporary Workarounds
Disable XML-RPC Extension
allRemove or disable the XML-RPC extension if not required.
php -m | grep xmlrpc
comment out 'extension=xmlrpc.so' in php.ini
restart web server
Input Validation Filter
allImplement strict input validation for XML-RPC endpoints.
🧯 If You Can't Patch
- Implement WAF rules to block malicious XML-RPC requests
- Isolate vulnerable systems behind network segmentation
🔍 How to Verify
Check if Vulnerable:
Check PHP version with 'php -v' and compare against affected versions. Check if XML-RPC extension is loaded with 'php -m | grep xmlrpc'.Check Version:
php -v | head -1Verify Fix Applied:
Confirm PHP version is updated to patched version with 'php -v'. Test XML-RPC functionality with valid requests.📡 Detection & Monitoring
Log Indicators:
- Multiple failed XML-RPC requests
- Application crashes in PHP error logs
- Unusual memory usage patterns
Network Indicators:
- Malformed XML-RPC POST requests to /xmlrpc.php endpoints
- Unusual traffic to XML-RPC services
SIEM Query:
source="php_error.log" AND ("xmlrpc" OR "heap" OR "memory")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- http://www.securityfocus.com/bid/107156
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299
- https://bugs.php.net/bug.php?id=77242
- https://bugs.php.net/bug.php?id=77249
- https://security.netapp.com/advisory/ntap-20190321-0001/
- https://usn.ubuntu.com/3902-1/
- https://usn.ubuntu.com/3902-2/
- https://www.debian.org/security/2019/dsa-4398
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00083.html
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00104.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00041.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00044.html
- http://www.securityfocus.com/bid/107156
- https://access.redhat.com/errata/RHSA-2019:2519
- https://access.redhat.com/errata/RHSA-2019:3299
- https://bugs.php.net/bug.php?id=77242
- https://bugs.php.net/bug.php?id=77249
- https://security.netapp.com/advisory/ntap-20190321-0001/
- https://usn.ubuntu.com/3902-1/
- https://usn.ubuntu.com/3902-2/
- https://www.debian.org/security/2019/dsa-4398
