Vulnerability Name:

CVE-2017-11144

Assigned:2017-07-05
Published:2017-07-05
Updated:2018-05-03
Summary:In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.
CVSS v3 Severity:7.5 High (CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.5 Medium (CCN Temporal CVSS v3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-754
References:Source: CONFIRM
Type: VENDOR_ADVISORY
http://git.php.net/?p=php-src.git;a=commit;h=73cabfedf519298e1a11192699f44d53c529315e

Source: CONFIRM
Type: VENDOR_ADVISORY
http://git.php.net/?p=php-src.git;a=commit;h=89637c6b41b510c20d262c17483f582f115c66d6

Source: CONFIRM
Type: VENDOR_ADVISORY
http://git.php.net/?p=php-src.git;a=commit;h=91826a311dd37f4c4e5d605fa7af331e80ddd4c3

Source: CONFIRM
Type: UNKNOWN
http://openwall.com/lists/oss-security/2017/07/10/6

Source: CONFIRM
Type: VENDOR_ADVISORY
http://php.net/ChangeLog-5.php

Source: CONFIRM
Type: VENDOR_ADVISORY
http://php.net/ChangeLog-7.php

Source: REDHAT
Type: UNKNOWN
RHSA-2018:1296

Source: CONFIRM
Type: VENDOR_ADVISORY
https://bugs.php.net/bug.php?id=74651

Source: XF
Type: UNKNOWN
php-cve201711144-dos(129128)

Source: CONFIRM
Type: UNKNOWN
https://security.netapp.com/advisory/ntap-20180112-0001/

Source: DEBIAN
Type: UNKNOWN
DSA-4080

Source: DEBIAN
Type: UNKNOWN
DSA-4081

Source: CONFIRM
Type: UNKNOWN
https://www.tenable.com/security/tns-2017-12

Vulnerable Configuration:Configuration 1:
  • cpe:/a:php:php:5.6.30:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.9:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.10:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.11:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.12:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.13:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.14:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.15:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.16:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.17:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.18:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.19:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.20:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.1.4:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.1.5:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.1.6:*:*:*:*:*:*:*

  • Configuration CCN 1:
  • cpe:/a:php:php:5.6.30:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.0.20:*:*:*:*:*:*:*
  • OR cpe:/a:php:php:7.1.6:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:201711144
    V
    CVE-2017-11144
    2018-09-18
    oval:com.ubuntu.xenial:def:201711144000
    V
    CVE-2017-11144 on Ubuntu 16.04 LTS (xenial) - medium.
    2017-07-10
    oval:com.ubuntu.trusty:def:201711144000
    V
    CVE-2017-11144 on Ubuntu 14.04 LTS (trusty) - medium.
    2017-07-10
    oval:com.ubuntu.artful:def:201711144000
    V
    CVE-2017-11144 on Ubuntu 17.10 (artful) - medium.
    2017-07-10
    BACK
    php php 5.6.30
    php php 7.0.0
    php php 7.0.1
    php php 7.0.2
    php php 7.0.3
    php php 7.0.4
    php php 7.0.5
    php php 7.0.6
    php php 7.0.7
    php php 7.0.8
    php php 7.0.9
    php php 7.0.10
    php php 7.0.11
    php php 7.0.12
    php php 7.0.13
    php php 7.0.14
    php php 7.0.15
    php php 7.0.16
    php php 7.0.17
    php php 7.0.18
    php php 7.0.19
    php php 7.0.20
    php php 7.1.0
    php php 7.1.1
    php php 7.1.2
    php php 7.1.3
    php php 7.1.4
    php php 7.1.5
    php php 7.1.6
    php php 5.6.30
    php php 7.0.20
    php php 7.1.6