Recently, NSFOCUS detected that Yii Framework 2 disclosed a deserialization remote command execution vulnerability (CVE-2020-15148) in its update log published on September 14, 2020.<\/p>\n\n\n\n
By adding the _wakeup() function to Class yii\\db\\BatchQueryResult, Yii Framework 2 disables yii\\db\\BatchQueryResult deserialization and prevents remote command execution caused by application calling ‘unserialize()’ on arbitrary user input.<\/p>\n\n\n\n
Yii2 is a high-performance, open-source, component-based PHP framework for rapidly developing modern Web applications.<\/p>\n\n\n\n
At present, Yii Framework 2 has released a new version to fix the vulnerability. NSFOCUS detection and protection products are capable of scanning and detecting the vulnerability. Affected users are advised to take preventive measures as soon as possible.<\/p>\n\n\n\n\n\n\n\n
Reference links:<\/p>\n\n\n\n The vendor has released the new version 2.0.38 to fix the vulnerability.<\/p>\n\n\n\n The update is available at the following link:<\/p>\n\n\n\n Using NSFOCUS’s Detection Products or Services<\/strong><\/p>\n\n\n\n For internal assets, use NSFOCUS Remote Security Assessment System (RSAS V6), Web Vulnerability Scanning System (WVSS), Intrusion Detection System (NIDS), and Unified Threat Sensor (UTS) to detect the vulnerability:<\/p>\n\n\n\n Use NSFOCUS protection products, such as NSFOCUS Intrusion Protection System (NIPS), Next-Generation Firewall (NF), and Web Application Firewall (WAF), to defend against the vulnerability.<\/p>\n\n\n\n On RSAS, under Services > System Upgrade<\/strong>, click Choose File<\/strong> in the Manual Upgrade<\/strong> area and find the update file just downloaded.<\/p>\n\n\n\n Click Upgrade<\/strong>. Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.<\/p>\n\n\n\n On WVSS, under Services > System Upgrade<\/strong>, in the Manual Upgrade<\/strong> area, click Browse<\/strong> to find the update file just downloaded.<\/p>\n\n\n\n Click Upgrade<\/strong>. Wait for the installation to complete. Then create a custom scanning template to scan the system for this vulnerability.<\/p>\n\n\n\n On UTS, under System > System Upgrade > Offline Upgrade<\/strong>, browse to the update file just downloaded and click Upload<\/strong>.<\/p>\n\n\n\n On NIPS, under System > System Update > Offline Update<\/strong>, browse to the update file just downloaded and click Upload<\/strong>.<\/p>\n\n\n\n After the update is installed, find the rule by ID in the default rule base and view rule details.<\/p>\n\n\n\n On the web-based manager of NSFOCUS NF, under System > System Upgrade > Offline Upgrade<\/strong>, browse to the update file and click Upload<\/strong>.<\/p>\n\n\n\n Wait for the installation to complete.<\/p>\n\n\n\n On WAF, choose System Management > System Tools > Rule Upgrade<\/strong>.<\/p>\n\n\n\n Wait for the installation to complete.<\/p>\n\n\n\n This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and\/or indirect consequences and losses caused by transmitting and\/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add\/delete any information to\/from it, or use this advisory for commercial purposes without permission from NSFOCUS.<\/p>\n\n\n\n NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks.<\/p>\n\n\n\n NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, is a member of both the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific.<\/p>\n","protected":false},"excerpt":{"rendered":" Overview Recently, NSFOCUS detected that Yii Framework 2 disclosed a deserialization remote command execution vulnerability (CVE-2020-15148) in its update log published on September 14, 2020. By adding the _wakeup() function to Class yii\\db\\BatchQueryResult, Yii Framework 2 disables yii\\db\\BatchQueryResult deserialization and prevents remote command execution caused by application calling ‘unserialize()’ on arbitrary user input. Yii2 is […]<\/p>\n","protected":false},"author":1,"featured_media":11681,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"_coblocks_attr":"","_coblocks_dimensions":"","_coblocks_responsive_height":"","_coblocks_accordion_ie_support":"","footnotes":""},"categories":[6],"tags":[770],"class_list":["post-11680","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-emergency-response","tag-yii2"],"acf":[],"yoast_head":"\nAffected Versions<\/h2>\n\n\n\n
Technical Solutions<\/h2>\n\n\n\n
Detection Product<\/strong><\/td> Upgrade Package\/Rule Base Version<\/strong><\/td><\/tr> RSAS V6’s web plug-in package<\/strong><\/td> V6.0R02F00.1816<\/td><\/tr> WVSS<\/strong><\/strong><\/td> V6.0R03F00.182<\/td><\/tr> IDS<\/strong><\/strong><\/td> 5.6.9.23576, 5.6.10.23576<\/td><\/tr> UTS<\/strong><\/strong><\/td> 5.6.10.23576<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Protection Product<\/strong><\/td> Upgrade Package\/Rule Base Version<\/strong><\/td> Rule ID<\/strong><\/td><\/tr> IPS<\/strong><\/strong><\/td> 5.6.9.23576, 5.6.10.23576<\/td> 25037<\/td><\/tr> NF<\/strong><\/strong><\/td> 6.0.1.828, 6.0.2.828<\/td> 25037<\/td><\/tr> WAF<\/strong><\/strong><\/td> 6.0.7.0.46432, 6.0.7.1.46432<\/td> 27005015<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n Appendix: Product\/Platform Use Guides<\/h2>\n\n\n\n
Statement<\/h2>\n\n\n\n
About NSFOCUS<\/h2>\n\n\n\n