Vulnerability CVE-2017-11142

Vulnerability Name:

CVE-2017-11142 (CCN-129131)

Assigned:

2017-06-20

Published:

2017-06-20

Updated:

2018-01-14

Summary:

In PHP before 5.6.31, 7.x before 7.0.17, and 7.1.x before 7.1.3, remote attackers could cause a CPU consumption denial of service attack by injecting long form variables, related to main/php_variables.c.

CVSS v3 Severity:

7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

CVSS v2 Severity:

7.8 High (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Complete

Vulnerability Type:

CWE-400

Vulnerability Consequences:

Denial of Service

References:

Source: MITRE
Type: CNA
CVE-2017-11142

Source: CCN
Type: oss-sec Mailing List, Mon, 10 Jul 2017 13:33:53 +0200
Re: CVE IDs needed for PHP vulnerabilites (affects 5.6.30 and 7.0.20)

Source: CONFIRM
Type: Mailing List
http://openwall.com/lists/oss-security/2017/07/10/6

Source: CCN
Type: PHP Web site
Version 5.6.31

Source: CONFIRM
Type: Release Notes, Vendor Advisory
http://php.net/ChangeLog-5.php

Source: CCN
Type: PHP Web site
Version 7.1.7

Source: CONFIRM
Type: Release Notes, Vendor Advisory
http://php.net/ChangeLog-7.php

Source: CCN
Type: IBM Security Bulletin 2016641 (Tealeaf Customer Experience)
Multiple Security Issues in IBM Tealeaf Customer Experience PCA

Source: BID
Type: UNKNOWN
99601

Source: CCN
Type: BID-99601
PHP CVE-2017-11142 Denial of Service Vulnerability

Source: CCN
Type: PHP Sec Bug #73807
Performance problem with processing post request over 2000000 chars

Source: CONFIRM
Type: Vendor Advisory
https://bugs.php.net/bug.php?id=73807

Source: XF
Type: UNKNOWN
php-cve201711142-dos(129131)

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/php/php-src/commit/0f8cf3b8497dc45c010c44ed9e96518e11e19fc3

Source: CONFIRM
Type: Patch, Third Party Advisory
https://github.com/php/php-src/commit/a15bffd105ac28fd0dd9b596632dbf035238fda3

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20180112-0001/

Source: DEBIAN
Type: UNKNOWN
DSA-4081

Source: CONFIRM
Type: UNKNOWN
https://www.tenable.com/security/tns-2017-12

Vulnerable Configuration:

Configuration 1:

cpe:/a:php:php:*:*:*:*:*:*:*:* (Version <= 5.6.30)

OR cpe:/a:php:php:7.0.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.2:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.3:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.4:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.5:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.6:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.7:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.8:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.9:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.10:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.11:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.12:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.13:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.14:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.15:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.16:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.1.0:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.1.1:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.1.2:-:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:php:php:5.6.30:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.0.16:-:*:*:*:*:*:*

OR cpe:/a:php:php:7.1.2:-:*:*:*:*:*:*

AND

cpe:/a:ibm:tealeaf_customer_experience:9.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:tealeaf_customer_experience:8.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:tealeaf_customer_experience:8.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:tealeaf_customer_experience:9.0.1:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201711142	V	CVE-2017-11142	2022-09-02
oval:org.opensuse.security:def:10439	P	Security update for SDL2 (Important) (in QA)	2022-01-12
oval:org.opensuse.security:def:10710	P	Security update for the Linux Kernel (Important) (in QA)	2022-01-07
oval:org.opensuse.security:def:10372	P	Security update for aaa_base (Moderate)	2021-12-03
oval:org.opensuse.security:def:10170	P	Security update for qemu (Important)	2021-11-04
oval:org.opensuse.security:def:10148	P	Security update for ffmpeg (Important)	2021-09-02
oval:org.opensuse.security:def:10140	P	Security update for java-1_8_0-openjdk (Important)	2021-08-20
oval:org.opensuse.security:def:14950	P	libSoundTouch0-1.7.1-5.11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14019	P	python-pywbem-0.7.0-4.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14104	P	coreutils-8.25-12.8 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14277	P	libpoppler-glib8-0.43.0-15.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14928	P	jakarta-commons-fileupload-1.1.1-122.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13951	P	libraptor2-0-2.0.10-3.63 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14085	P	apache2-mod_jk-1.2.40-5.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14266	P	libopenssl-devel-1.0.2j-59.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14222	P	libexif12-0.6.21-6.3 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14290	P	libspice-client-glib-2_0-8-0.33-1.33 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13929	P	libmpfr4-3.1.2-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13921	P	liblcms1-1.19-17.28 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14067	P	xorg-x11-libs-7.6-45.14 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:14197	P	libXinerama1-1.1.3-3.54 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:11099	P	Security update for fossil (Moderate)	2021-07-17
oval:org.opensuse.security:def:10685	P	Security update for the Linux Kernel (Important)	2021-07-15
oval:org.opensuse.security:def:38024	P	Security update for csync2 (Moderate)	2021-07-12
oval:org.opensuse.security:def:38679	P	Security update for OpenEXR (Important)	2021-06-22
oval:org.opensuse.security:def:10278	P	Security update for ucode-intel (Important)	2021-06-10
oval:org.opensuse.security:def:16995	P	bogofilter-1.2.4-3.56 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11412	P	libvorbis0-1.3.3-8.23 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17171	P	gstreamer-0_10-plugins-base-0.10.36-17.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:16635	P	php7-devel-7.0.7-50.52.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17286	P	libwpd-0_10-10-0.10.2-2.4.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17278	P	libsilc-1_1-2-1.1.10-24.128 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17114	P	lhasa-0.2.0-5.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17238	P	gnome-shell-calendar-3.20.4-77.17.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:124641	P	php7-devel-7.0.7-50.52.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17029	P	libvirt-client-32bit-1.2.5-13.3 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:11434	P	pcsc-ccid-1.4.14-1.45 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:17202	P	libsilc-1_1-2-1.1.10-24.128 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:10263	P	Security update for ceph (Important)	2021-06-02
oval:org.opensuse.security:def:10216	P	Security update for wpa_supplicant (Important)	2021-03-08
oval:org.opensuse.security:def:10397	P	Security update for salt (Critical)	2021-02-26
oval:org.opensuse.security:def:10297	P	Security update for go1.14 (Moderate)	2021-01-26
oval:org.opensuse.security:def:11121	P	Security update for viewvc (Moderate)	2021-01-19
oval:org.opensuse.security:def:17320	P	gimp-2.8.18-9.3.26 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16987	P	xorg-x11-devel-7.6-45.14 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:17348	P	libmwaw-0_3-3-0.3.14-7.12.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:16948	P	php7-devel-7.0.7-50.85.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:17380	P	pulseaudio-module-bluetooth-5.0-4.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:38411	P	logrotate on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17493	P	Security update for kernel-firmware (Important)	2020-12-01
oval:org.opensuse.security:def:38746	P	libxerces-c-3_1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17728	P	Security update for ntp (Important)	2020-12-01
oval:org.opensuse.security:def:17671	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:10483	P	libapr1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39428	P	Security update for python-urllib3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17762	P	Security update for gdk-pixbuf (Moderate)	2020-12-01
oval:org.opensuse.security:def:10591	P	python3-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10752	P	libjson-c-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18135	P	Security update for php7 (Important)	2020-12-01
oval:org.opensuse.security:def:38321	P	liblua5_2-32bit on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10774	P	libplist++-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17462	P	Security update for compat-openssl098 (Important)	2020-12-01
oval:org.opensuse.security:def:38718	P	libpython2_7-1_0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38630	P	krb5 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17639	P	Security update for jasper (Moderate)	2020-12-01
oval:org.opensuse.security:def:10461	P	lib3ds-1-3 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38790	P	res-signingkeys on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10453	P	hplip-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17449	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:10576	P	nut-cgi on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18426	P	Security update for php7 (Important)	2020-12-01
oval:org.opensuse.security:def:37940	P	libpng12-0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18109	P	Security update for libical (Moderate)	2020-12-01
oval:org.opensuse.security:def:37928	P	libopenjp2-7 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38263	P	libXv1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10448	P	gnome-shell-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17405	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:38571	P	cups-pk-helper on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17529	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:17740	P	Security update for php5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:17437	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:10529	P	libpcscspy0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:39470	P	Security update for php7 (Important)	2020-12-01
oval:org.opensuse.security:def:18400	P	Security update for poppler (Moderate)	2020-12-01
oval:org.opensuse.security:def:37929	P	libopenssl-1_0_0-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:10610	P	xfig on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:17471	P	Security update for perl-DBI (Important)	2020-12-01
oval:org.opensuse.security:def:10761	P	libmusicbrainz-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:38161	P	curl on GA media (Moderate)	2020-12-01
oval:com.ubuntu.trusty:def:201711142000	V	CVE-2017-11142 on Ubuntu 14.04 LTS (trusty) - low.	2017-07-10
oval:com.ubuntu.xenial:def:201711142000	V	CVE-2017-11142 on Ubuntu 16.04 LTS (xenial) - low.	2017-07-10
oval:com.ubuntu.xenial:def:2017111420000000	V	CVE-2017-11142 on Ubuntu 16.04 LTS (xenial) - low.	2017-07-10

BACK