JPCERT-AT-2016-0036
                                                             JPCERT/CC
                                                            2016-09-27

                  <<< JPCERT/CC Alert 2016-09-27 >>>

Alert regarding attacks exploiting vulnerabilities in software used for websites

         https://www.jpcert.or.jp/english/at/2016/at160036.html


I. Overview
  JPCERT/CC has observed attacks exploiting vulnerabilities in software
used for web applications. Through exploitation of vulnerabilities in
web applications or software used for web applications, various kinds of
damages may occur, including website compromise.

  Joomla!, an open source CMS, contains a vulnerability*2 executing
arbitrary code, which originates in a PHP vulnerability*1. JPCERT/CC
has received reports on website compromise resulting from attacks
exploiting these vulnerabilities.
  *1: CVE-2015-6835: PHP
  *2: CVE-2015-8562: Joomla!

  In order to protect your websites from such attacks, it is recommended
to refer to the information provided in "II. Solution" and
"III. References" to address any issues as soon as possible.


II. Solution
  Please consider the following check points and countermeasures:

  (Check points)
  - Check whether the version of the software being used (programming
    language, development framework, library, etc.) for the web
    application (CMS, etc.) is the latest available version
  - Periodically check web server access logs and for any suspicious
    requests
  - Check whether there are any unauthorized programs within the
    website contents or any content alterations
  - Perform a third-party security assessment on the website to check
    for any vulnerabilities in the website

  (Countermeasures)
  - Update the web application and the software being used to the
    latest available version
  - Use a Web Application Firewall (WAF) to block any packets that
    attempt to exploit the vulnerabilities

  The versions of PHP and Joomla! that address the vulnerabilities
stated in "I. Overview" are as follows:

    - PHP
    Versions 5.4.45 and later
    Versions 5.5.29 and later
    Versions 5.6.13 and later
    
    * php has provided an announcement on supported versions. For those
      using unsupported versions PHP 5.4.x and PHP 5.5.x are recommended
      to update to a version that is currently being supported.
      
        - Support for version 5.4.x ended in September 2015
        - Support for version 5.5.x ended in July 2016

        For more information on supported versions, please refer to the
        information provided by php.

        php
        Supported Versions
        https://php.net/supported-versions.php
        
    - Joomla!
    Versions 3.4.6 and later


III. References
php
Sec Bug #70219 Use after free vulnerability in session deserializer
https://bugs.php.net/bug.php?id=70219

Joomla!
[20151201] - Core - Remote Code Execution Vulnerability 
https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html

HASH Consulting Corporation
"Code execution zero-day vulnerability" in Joomla! due to known PHP vulnerability (Japanese)
http://blog.tokumaru.org/2015/12/joomla-zero-day-attack-caused-by-php.html

JPCERT/CC
Alert "Periodically check website in preparation of cyber attacks" (Japanese)
https://www.jpcert.or.jp/pr/2016/pr160004.html

Information-technology Promotion Agency (IPA)
iLogScanner - Tool for detecting suspicious attacks against web servers (Japanese)
https://www.ipa.go.jp/security/vuln/iLogScanner/

Information-technology Promotion Agency (IPA)
Web Application Firewall (WAF) Primer (PDF) (Japanese)
https://www.ipa.go.jp/files/000017312.pdf


  If you have any information regarding this alert, please contact
JPCERT/CC.

======================================================================
JPCERT Coordination Center (JPCERT/CC)
MAIL: info@jpcert.or.jp
TEL: +81-3-3518-4600  FAX: +81-3-3518-4602
https://www.jpcert.or.jp/english/