Bug 1222857 (CVE-2024-2756)

Summary: VUL-0: CVE-2024-2756: php5,php53,php7,php72,php74,php8: php: host/secure cookie bypass due to partial fix
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/401687/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-2756:6.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description SMASH SMASH 2024-04-15 15:55:20 UTC 
Due to an incomplete fix to CVE-2022-31629, network and same-site attackers can set a standard insecure cookie in the victim's browser which is treated as a __Host- or __Secure- cookie by PHP applications.

The vulnerability is identical to one previously described in https://bugs.php.net/bug.php?id=81727. Unfortunatly, since CVE-2022-31629 got only partially fixed in PHP >8.1.11, cookies starting with _[Host- are parsed by PHP applications as __Host-.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-2756
https://seclists.org/oss-sec/2024/q2/113
https://github.com/php/php-src/security/advisories/GHSA-pc52-254m-w9w7
https://github.com/php/php-src/security/advisories/GHSA-h746-cjrr-wfmr
https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4
https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
https://bugzilla.redhat.com/show_bug.cgi?id=2275058
Comment 1 Petr Gajdos 2024-04-16 08:33:43 UTC 
Advisory related to this CVE:
https://github.com/php/php-src/security/advisories/GHSA-wpj3-hf5j-x4v4
Comment 3 Petr Gajdos 2024-04-16 14:08:36 UTC 
Test succeeded even BEFORE.
Comment 4 Marcus Meissner 2024-04-16 14:36:20 UTC 
it might have been fully fixed in 8.0 and older already, the advisory only mentuions 8.1 as half fixed?
Comment 5 Petr Gajdos 2024-04-16 14:56:05 UTC 
(In reply to Marcus Meissner from comment #4)
> it might have been fully fixed in 8.0 and older already, the advisory only
> mentuions 8.1 as half fixed?

It seems that the code needs the patch, will check further.
Comment 6 Petr Gajdos 2024-04-19 08:55:12 UTC 
Submitted for: 
b15sp1/php81 (a version update)
15sp4/php8,php7, 15sp2/php7, 12/php74.
Comment 7 OBSbugzilla Bot 2024-04-19 09:15:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1222857) was mentioned in
https://build.opensuse.org/request/show/1169082 Backports:SLE-15-SP5 / php81
Comment 9 Maintenance Automation 2024-04-26 08:30:03 UTC 
SUSE-SU-2024:1446-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222857, 1222858
CVE References: CVE-2024-2756, CVE-2024-3096
Maintenance Incident: [SUSE:Maintenance:33460](https://smelt.suse.de/incident/33460/)
Sources used:
openSUSE Leap 15.4 (src):
 php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1
openSUSE Leap 15.5 (src):
 php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1
Web and Scripting Module 15-SP5 (src):
 php8-8.0.30-150400.4.40.1, php8-fastcgi-8.0.30-150400.4.40.1, php8-test-8.0.30-150400.4.40.1, apache2-mod_php8-8.0.30-150400.4.40.1, php8-embed-8.0.30-150400.4.40.1, php8-fpm-8.0.30-150400.4.40.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-04-26 08:30:09 UTC 
SUSE-SU-2024:1445-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222857, 1222858
CVE References: CVE-2024-2756, CVE-2024-3096
Maintenance Incident: [SUSE:Maintenance:33462](https://smelt.suse.de/incident/33462/)
Sources used:
Web and Scripting Module 12 (src):
 php74-7.4.33-1.65.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src):
 php74-7.4.33-1.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2024-04-26 08:30:13 UTC 
SUSE-SU-2024:1444-1: An update that solves two vulnerabilities can now be installed.

Category: security (moderate)
Bug References: 1222857, 1222858
CVE References: CVE-2024-2756, CVE-2024-3096
Maintenance Incident: [SUSE:Maintenance:33461](https://smelt.suse.de/incident/33461/)
Sources used:
openSUSE Leap 15.4 (src):
 php7-7.4.33-150400.4.34.1, php7-embed-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-test-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1
openSUSE Leap 15.5 (src):
 php7-7.4.33-150400.4.34.1, php7-embed-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-test-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1
Legacy Module 15-SP5 (src):
 php7-7.4.33-150400.4.34.1, php7-fpm-7.4.33-150400.4.34.1, apache2-mod_php7-7.4.33-150400.4.34.1, php7-fastcgi-7.4.33-150400.4.34.1
SUSE Package Hub 15 15-SP5 (src):
 php7-embed-7.4.33-150400.4.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Marcus Meissner 2024-05-02 13:04:57 UTC 
openSUSE-SU-2024:0115-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1222857,1222858
CVE References: CVE-2022-31629,CVE-2024-2756,CVE-2024-3096
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    apache2-mod_php81-8.1.28-bp155.8.1, php81-8.1.28-bp155.8.1, php81-embed-8.1.28-bp155.8.1, php81-fastcgi-8.1.28-bp155.8.1, php81-fpm-8.1.28-bp155.8.1, php81-test-8.1.28-bp155.8.3
Comment 13 Petr Gajdos 2024-05-13 10:32:03 UTC 
Submitted for ALP:
https://build.suse.de/request/show/329903
Submitted for SFFO:
https://build.suse.de/request/show/329904
Comment 14 Petr Gajdos 2024-05-22 10:41:29 UTC 
(In reply to Petr Gajdos from comment #13)
> Submitted for ALP:
> https://build.suse.de/request/show/329903

Reopened.
Comment 15 OBSbugzilla Bot 2024-06-11 12:05:01 UTC 
This is an autogenerated message for OBS integration:
This bug (1222857) was mentioned in
https://build.opensuse.org/request/show/1180000 Factory / php8
Comment 17 Maintenance Automation 2024-06-17 08:30:23 UTC 
SUSE-SU-2024:2037-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1222857, 1222858, 1226073
CVE References: CVE-2024-2756, CVE-2024-3096, CVE-2024-5458
Maintenance Incident: [SUSE:Maintenance:33467](https://smelt.suse.de/incident/33467/)
Sources used:
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src):
 php7-7.4.33-150200.3.65.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src):
 php7-7.4.33-150200.3.65.1
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src):
 php7-7.4.33-150200.3.65.1
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src):
 php7-7.4.33-150200.3.65.1
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src):
 php7-7.4.33-150200.3.65.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src):
 php7-7.4.33-150200.3.65.1
SUSE Enterprise Storage 7.1 (src):
 php7-7.4.33-150200.3.65.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.