Bug 1059520 (CVE-2014-8684) - VUL-0: CVE-2014-8684: kohana: Timing attack and PHP object injection
Summary: VUL-0: CVE-2014-8684: kohana: Timing attack and PHP object injection
Status: RESOLVED WORKSFORME
Alias: CVE-2014-8684
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other openSUSE Factory
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Lars Vogdt
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-09-20 11:56 UTC by Alexander Bergmann
Modified: 2019-06-07 15:48 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-09-20 11:56:42 UTC 
rh#1493506 / CVE-2014-8684

CodeIgniter before 3.0 and Kohana 3.2.3 and earlier and 3.3.x through 3.3.2 make
it easier for remote attackers to spoof session cookies and consequently conduct
PHP object injection attacks by leveraging use of standard string comparison
operators to compare cryptographic hashes.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1493506
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8684
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8684
https://scott.arciszewski.me/research/full/php-framework-timing-attacks-object-injection
https://github.com/kohana/core/pull/492
http://seclists.org/fulldisclosure/2014/May/54
Comment 1 Alexander Bergmann 2017-09-20 12:03:29 UTC 
Looks like the openSUSE:Factory/kohana2 is outdated. 

https://kohanaframework.org/
The latest version 3.3.6 was released on 25. July 2016.

Either this needs to be updated to the latest version or dropped from Factory. Adding latest contributors to the CC list.
Comment 2 Lars Vogdt 2017-12-02 03:35:59 UTC 
koseven is a successor - started with testing...
Comment 3 Lars Vogdt 2019-06-07 15:48:57 UTC 
kohana got dropped as porting to PHP7 would cost too much resources. Closing here.