#VU9716 Denial of service


Published: 2017-12-22

Vulnerability identifier: #VU9716

Vulnerability risk: Low

CVSSv3.1:

CVE-ID: CVE-2017-11144

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote attacker to cause DoS condition on the target system.

The weakness exists due to the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function. A remote attacker can trigger a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.

Successful exploitation of the vulnerability results in denial of service.

Mitigation
Update to version 5.6.31, 7.0.21 or 7.1.7.

Vulnerable software versions

PHP: 5.6.0 - 5.6.30, 5.5.0 - 5.5.38, 5.4.0 - 5.4.44, 5.1 - 5.1.6, 5.3.0 - 5.3.27, 5.2.0 - 5.2.17, 5.0 - 5.0.5, 7.0.0 - 7.0.20, 7.1.0 - 7.1.6


CPE

External links
http://bugs.php.net/bug.php?id=74651


Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?


Latest bulletins with this vulnerability