Zend Framework HTTP Response Splitting Vulnerability Fixed by 2.3.8 and 2.4.1


Description   An HTTP Response Splitting vulnerability has been identified in Zend Framework.
A remote attacker could exploit it by injecting a specific CRLF sequence in a HTTP stream.
This vulnerability stems from an improper filtering by the 'vardump()' function.
This vulnerability, exploitable via the HTTP and mail headers, impacts the following components:
- Zend\Mail
- Zend\Http
- Zend\Mvc.
The zendframework packages provided by Debian Squeeze 6, Wheezy 7 and Jessie 8 are vulnerable.
     
Vulnerable Products   Vulnerable OS:
Fedora (Red Hat) - 20, 21, 22GNU/Linux (Debian) - 6, 7, 8Vulnerable Software:
Framework (Zend) - 1.12.0, 1.12.1, 1.12.10, 1.12.11, 1.12.2, ..., 2.3.4, 2.3.5, 2.3.6, 2.3.7, 2.4.0
     
Solution   Following a regression, new fixed zendframework packages for Debian Squeeze 6 are available in LTS section.
     
CVE   CVE-2015-3154
     
References   - ZF2015-04: Potential CRLF injection attacks in mail and HTTP headers
http://framework.zend.com/security/advisory/ZF2015-04
DebianSecurityTracker : zendframework
https://security-tracker.debian.org/tracker/CVE-2015-3154
- FEDORA-2015-7887 : Fedora 20 Update: php-ZendFramework2-2.3.8-1.fc20
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158248.html
FEDORA-2015-7687 : Fedora 21 Update: php-ZendFramework2-2.3.8-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/158262.html
- DSA 3265-1 : zendframework security update
https://lists.debian.org/debian-security-announce/2015/msg00155.html
DSA 3265-2 : zendframework regression update
http://lists.debian.org/debian-security-announce/debian-security-announce-2015/msg00164.html
- FEDORA-2015-8704 : Fedora 22 Update: php-ZendFramework-1.12.13-1.fc22
http://lists.fedoraproject.org/pipermail/package-announce/2015-May/159172.html
FEDORA-2015-8710 : Fedora 21 Update: php-ZendFramework-1.12.13-1.fc21
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159292.html
FEDORA-2015-8714 : Fedora 20 Update: php-ZendFramework-1.12.13-1.fc20
http://lists.fedoraproject.org/pipermail/package-announce/2015-June/159287.html
- DLA 251-1 : zendframework security update
https://lists.debian.org/debian-lts-announce/2015/06/msg00017.html
- DLA 251-2 : zendframework regression update
https://lists.debian.org/debian-lts-announce/2015/06/msg00019.html
     
Vulnerability Manager Detection   No
     
IPS Protection  
ASQ Engine alarm Available Since
HTTP Request Smuggling : HTTP command found in header
3.2.0
HTTP Request Smuggling : Content-Length and Transfer-Encoding: chunked fields in header
3.2.0
HTTP Request Smuggling : suspicious syntax using HTTP keyword
3.2.0
HTTP Request Smuggling : multiple Content-Length fields
3.2.0
     


 
 
 
 
 Risk level 
Low 

 Vulnerability First Public Report Date 
2015-05-08 

 Target Type 
Server 

 Possible exploit 
Remote