Vulnerability identifier: #VU9867
Vulnerability risk: Medium
Exploitation vector: Network
Vendor: PHP Group
The vulnerability allows a remote attacker to perform XXE. attcks.
The vulnerability exists in ext/libxml/libxml.c when using PHP-FPM due to improper isolation of each threat from libxml_disable_entity_loader changes in other threads. A remote attacker can perform XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document.
Note: this vulnerability is known at least since 2013 and it was patched several times.
Update to version 7.0.27.
Vulnerable software versions
PHP: 7.2.0, 7.0.0 - 7.0.26, 7.1.0 - 7.1.12, 5.6.0 - 5.6.32, 5.5.0 - 5.5.38, 5.4.15 - 5.4.44
Fixed software versions
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?