Vulnerability identifier: #VU9867
Vulnerability risk: Medium
CVSSv3.1:
CVE-ID:
CWE-ID:
CWE-611
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
PHP
Universal components / Libraries /
Scripting languages
Vendor: PHP Group
Description
The vulnerability allows a remote attacker to perform XXE. attcks.
The vulnerability exists in ext/libxml/libxml.c when using PHP-FPM due to improper isolation of each threat from libxml_disable_entity_loader changes in other threads. A remote attacker can perform XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document.
Note: this vulnerability is known at least since 2013 and it was patched several times.
Mitigation
Update to version 7.0.27.
Vulnerable software versions
PHP: 7.2.0, 7.0.0 - 7.0.26, 7.1.0 - 7.1.12, 5.6.0 - 5.6.32, 5.5.0 - 5.5.38, 5.4.15 - 5.4.44
CPE
External links
http://www.openwall.com/lists/oss-security/2016/04/24/1
http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
http://www.php.net/ChangeLog-5.php
http://bugs.php.net/bug.php?id=64938
Can this vulnerability be exploited remotely?
Is there known malware, which exploits this vulnerability?