CVE-2015-8562 is a PHP object injection vulnerability that affects all versions of the Joomla content management system before v3.4.6. This vulnerability occurs because Joomla stores the http user agent header in the database without performing input validation, which allows an attacker to inject an object into the database. Successful exploitation allows the attacker to store malicious code (typically a backdoor) which can be executed later. According to our testing, successful exploitation also requires the web server be running a version of PHP older than 5.4.
- Check your logs for indicators that an attack was performed.
- Update to version 3.4.6.
- If using the 1.5.x or 2.5.x branches, apply the hotfixes.
Indicators of Compromise
If you are a Joomla user, examine your logs right away. We recommend searching your logs for “JDatabaseDriverMysqli” or “O:” in the User Agent field as it has been used in the exploits. If you find them, consider your Joomla site compromised and move to the remediation / incident response phase.
Versions 1.5.0 through 3.4.5
The Masergy Threat Intelligence Team currently has deployed the following alerts to detect the exploitation of this vulnerability.
Inbound exploit attempt for a Joomla pre-auth PHP object injection vulnerability that affects all versions of Joomla before v3.4.6. Successful exploitation allows the attacker to store malicious code (typically a backdoor) which can be later executed.