Vulnerability identifier: #VU9867

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L/E:U/RL:O/RC:C]

CVE-ID: CVE-2015-8866

CWE-ID: CWE-611

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description
The vulnerability allows a remote attacker to perform XXE. attcks.

The vulnerability exists in ext/libxml/libxml.c when using PHP-FPM due to improper isolation of each threat from libxml_disable_entity_loader changes in other threads. A remote attacker can perform XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document.

Note: this vulnerability is known at least since 2013 and it was patched several times.

Mitigation
Update to version 7.0.27.

Vulnerable software versions

PHP: 7.2.0, 7.0.0 - 7.0.26, 7.1.0 - 7.1.12, 5.6.0 - 5.6.32, 5.5.0 - 5.5.38, 5.4.15 - 5.4.44

---

External links
http://www.openwall.com/lists/oss-security/2016/04/24/1
http://git.php.net/?p=php-src.git;a=commit;h=de31324c221c1791b26350ba106cc26bad23ace9
http://www.php.net/ChangeLog-5.php
http://bugs.php.net/bug.php?id=64938

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.