Out-of-bounds read in PHP

#VU8965 Out-of-bounds read in PHP

Published: 2017-10-27 | Updated: 2017-11-10

Vulnerability identifier: #VU8965

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-11145

CWE-ID:

Exploitation vector: Network

Exploit availability:

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote attacker to obtain potentially sensitive information.

The weakness exists due to out-of-bounds read in timelib_meridian(). A remote attacker can read arbitrary data on the target system.

Mitigation
Update to version 5.6.32.

Vulnerable software versions

PHP: 5.6.0 - 5.6.31, 5.5.0 - 5.5.38, 5.4.0 - 5.4.44, 5.1 - 5.1.6, 5.3.0 - 5.3.27, 5.2.0 - 5.2.17, 5.0 - 5.0.5

Fixed software versions

CPE

cpe:2.3:a:php_group:php:5.6.31:*:*:*:*:*:*:*

External links
http://php.net/ChangeLog-5.php#5.6.32

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Red Hat update for php

Debian update for php5

Debian update for php7.0

Ubuntu update for PHP

Multiple vulnerabilities in PHP