CVE-2018-11756 in PHP Runtime for Apache OpenWhisk
Summary
by MITRE
In PHP Runtime for Apache OpenWhisk, a Docker action inheriting one of the Docker tags openwhisk/action-php-v7.2:1.0.0 or openwhisk/action-php-v7.1:1.0.1 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/25/2023
The vulnerability identified as CVE-2018-11756 affects the PHP runtime environment within Apache OpenWhisk, specifically targeting Docker actions that utilize older versions of the PHP action images. This issue represents a critical security flaw that enables privilege escalation through container inheritance mechanisms, where attackers can potentially replace or manipulate user functions within the execution environment. The vulnerability stems from the insecure handling of Docker image tags and the inheritance model used by the OpenWhisk platform, creating opportunities for malicious code injection that could compromise the entire function execution pipeline.
The technical flaw manifests in the way Docker containers inherit and execute user code within the OpenWhisk framework. When functions are deployed using the vulnerable Docker tags openwhisk/action-php-v7.2:1.0.0 or openwhisk/action-php-v7.1:1.0.1, the container environment allows for code replacement or manipulation if the user's PHP code contains exploitable vulnerabilities. This creates a path for attackers to leverage existing code execution flaws within user functions to gain deeper access to the containerized environment. The vulnerability operates under CWE-264, which addresses permissions, privileges, and access controls, specifically focusing on insecure inheritance patterns in containerized execution environments. The flaw enables attackers to potentially execute arbitrary code within the container context, bypassing normal security boundaries that should protect the underlying system.
The operational impact of this vulnerability extends beyond simple code execution, as it creates a persistent threat vector that can be exploited across multiple function deployments within the OpenWhisk platform. Attackers who gain access to the container environment through this vulnerability can potentially escalate privileges, access sensitive data, or even compromise the host system if proper isolation mechanisms are not in place. This vulnerability particularly affects organizations that rely heavily on serverless computing frameworks where functions are executed in shared container environments. The threat landscape is further complicated by the fact that the vulnerability can be exploited through existing code vulnerabilities in user functions, making it difficult to detect and prevent. According to ATT&CK framework, this vulnerability maps to T1059.007 for PHP and T1068 for local privilege escalation, highlighting the multi-layered attack surface that this flaw exposes.
Mitigation strategies for CVE-2018-11756 require immediate action to update all affected Docker images to newer, secure versions that address the inheritance and code replacement vulnerabilities. Organizations should implement strict image version control policies and ensure that all deployed functions use verified, up-to-date runtime images from trusted sources. The recommended approach includes enforcing image pinning to specific digest values rather than relying on tag-based inheritance, which prevents accidental deployment of vulnerable images. Additionally, organizations should implement container runtime security controls that monitor for unauthorized code modifications and establish network segmentation to limit the potential impact of successful exploitation attempts. Regular security audits of deployed functions and container images should be conducted to identify and remediate similar vulnerabilities across the entire serverless platform ecosystem.