#VU9716 Denial of service

Published: 2017-12-22

Vulnerability identifier: #VU9716

Vulnerability risk: Low


CVE-ID: CVE-2017-11144


Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Universal components / Libraries / Scripting languages

Vendor: PHP Group

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function. A remote attacker can trigger a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.

Successful exploitation of the vulnerability results in denial of service.

Update to version 5.6.31, 7.0.21 or 7.1.7.

Vulnerable software versions

PHP: 5.6.0 - 5.6.30, 5.5.0 - 5.5.38, 5.4.0 - 5.4.44, 5.1 - 5.1.6, 5.3.0 - 5.3.27, 5.2.0 - 5.2.17, 5.0 - 5.0.5, 7.0.0 - 7.0.20, 7.1.0 - 7.1.6


External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability