CVE-2016-9138

PHP through 5.6.27 and 7.x through 7.0.12 mishandles property modification during __wakeup processing, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via crafted serialized data, as demonstrated by Exception::__toString with DateInterval::__wakeup.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
php5	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	21.10 impish	Not in release
	21.04 hirsute	Not in release
	20.10 groovy	Not in release
	20.04 LTS focal	Not in release
	19.10 eoan	Not in release
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Not in release
	16.10 yakkety	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Vulnerable, fix deferred
	12.04 LTS precise	Ignored
php7.0	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	21.10 impish	Not in release
	21.04 hirsute	Not in release
	20.10 groovy	Not in release
	20.04 LTS focal	Not in release
	19.10 eoan	Not in release
	19.04 disco	Not in release
	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	17.10 artful	Not in release
	17.04 zesty	Ignored
	16.10 yakkety	Ignored
	16.04 LTS xenial	Vulnerable, fix deferred
	14.04 LTS trusty	Not in release
	12.04 LTS precise	Not in release
php7.2	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	21.10 impish	Not in release
	21.04 hirsute	Not in release
	20.10 groovy	Not in release
	20.04 LTS focal	Not in release
	19.10 eoan	Not in release
	19.04 disco	Ignored
	18.10 cosmic	Ignored
	18.04 LTS bionic	Vulnerable, fix deferred
	17.10 artful	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
php7.4	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	21.10 impish	Not in release
	20.04 LTS focal	Vulnerable, fix deferred
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
php8.0	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Not in release
	22.10 kinetic	Not in release
	22.04 LTS jammy	Not in release
	21.10 impish	Ignored
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release
php8.1	24.04 LTS noble	Not in release
	23.10 mantic	Not in release
	23.04 lunar	Ignored
	22.10 kinetic	Ignored
	22.04 LTS jammy	Vulnerable, fix deferred
	21.10 impish	Not in release
	20.04 LTS focal	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

mdeslaur

should not unserialize untrusted data CVE-2016-9137 was for the ext/curl/curl_file.c vulnerability that was fixed in the same bug. This CVE is for the remaining security problem associated with __wakeup, which, as far as I can tell is still unfixed as of 2020-06-23

rodrigo-zaiden

As of 2022-02-04, there is still no upstream fix. PHP Bug 73147 is mainly for CVE-2016-9137 and does not have information for a new bug for CVE-2016-9138. Suse has an indication that it might have been fixed along with CVE-2016-7479 patch, but this is not perfectly clear.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
php5	Upstream: 0e6fe3a

Severity score breakdown

Parameter	Value
Base score	9.8 · Critical
Attack vector	Network
Attack complexity	Low
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	High
Availability impact	High
Vector	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Cvss 3 Severity Score