FKIE_CVE-2017-11144

Vulnerability from fkie_nvd - Published: 2017-07-10 14:29 - Updated: 2025-04-20 01:37
Severity ?
7.5 (High) - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.
References
cve@mitre.orghttp://git.php.net/?p=php-src.git%3Ba=commit%3Bh=73cabfedf519298e1a11192699f44d53c529315e
cve@mitre.orghttp://git.php.net/?p=php-src.git%3Ba=commit%3Bh=89637c6b41b510c20d262c17483f582f115c66d6
cve@mitre.orghttp://git.php.net/?p=php-src.git%3Ba=commit%3Bh=91826a311dd37f4c4e5d605fa7af331e80ddd4c3
cve@mitre.orghttp://openwall.com/lists/oss-security/2017/07/10/6Mailing List
cve@mitre.orghttp://php.net/ChangeLog-5.phpRelease Notes, Vendor Advisory
cve@mitre.orghttp://php.net/ChangeLog-7.phpRelease Notes, Vendor Advisory
cve@mitre.orghttps://access.redhat.com/errata/RHSA-2018:1296
cve@mitre.orghttps://bugs.php.net/bug.php?id=74651Third Party Advisory
cve@mitre.orghttps://security.netapp.com/advisory/ntap-20180112-0001/
cve@mitre.orghttps://www.debian.org/security/2018/dsa-4080
cve@mitre.orghttps://www.debian.org/security/2018/dsa-4081
cve@mitre.orghttps://www.tenable.com/security/tns-2017-12
af854a3a-2127-422b-91ae-364da2661108http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=73cabfedf519298e1a11192699f44d53c529315e
af854a3a-2127-422b-91ae-364da2661108http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=89637c6b41b510c20d262c17483f582f115c66d6
af854a3a-2127-422b-91ae-364da2661108http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=91826a311dd37f4c4e5d605fa7af331e80ddd4c3
af854a3a-2127-422b-91ae-364da2661108http://openwall.com/lists/oss-security/2017/07/10/6Mailing List
af854a3a-2127-422b-91ae-364da2661108http://php.net/ChangeLog-5.phpRelease Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108http://php.net/ChangeLog-7.phpRelease Notes, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2018:1296
af854a3a-2127-422b-91ae-364da2661108https://bugs.php.net/bug.php?id=74651Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20180112-0001/
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2018/dsa-4080
af854a3a-2127-422b-91ae-364da2661108https://www.debian.org/security/2018/dsa-4081
af854a3a-2127-422b-91ae-364da2661108https://www.tenable.com/security/tns-2017-12
Impacted products
Vendor Product Version
php php *
php php 7.0.0
php php 7.0.1
php php 7.0.2
php php 7.0.3
php php 7.0.4
php php 7.0.5
php php 7.0.6
php php 7.0.7
php php 7.0.8
php php 7.0.9
php php 7.0.10
php php 7.0.11
php php 7.0.12
php php 7.0.13
php php 7.0.14
php php 7.0.15
php php 7.0.16
php php 7.0.17
php php 7.0.18
php php 7.0.19
php php 7.0.20
php php 7.1.0
php php 7.1.1
php php 7.1.2
php php 7.1.3
php php 7.1.4
php php 7.1.5
php php 7.1.6
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:php:php:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "399EA21A-9B46-4F4F-9A33-4DC557B11743",
              "versionEndIncluding": "5.6.30",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "DB6890AF-8A0A-46EE-AAD5-CF9AAE14A321",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "6B90B947-7B54-47F3-9637-2F4AC44079EE",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "35848414-BD5D-4164-84DC-61ABBB1C4152",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "2B1F8402-8551-4F66-A9A7-81D472AB058E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "7A773E8E-48CD-4D35-A0FD-629BD9334486",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "FC492340-79AF-4676-A161-079A97EC6F0C",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "F1C2D8FE-C380-4B43-B634-A3DBA4700A71",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.7:*:*:*:*:*:*:*",
              "matchCriteriaId": "3EB58393-0C10-413C-8D95-6BAA8BC19A1B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.8:*:*:*:*:*:*:*",
              "matchCriteriaId": "751F51CA-9D88-4971-A6EC-8C0B72E8E22B",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.9:*:*:*:*:*:*:*",
              "matchCriteriaId": "37B74118-8FC2-44CB-9673-A83DF777B2E6",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.10:*:*:*:*:*:*:*",
              "matchCriteriaId": "4D56A200-1477-40DA-9444-CFC946157C69",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.11:*:*:*:*:*:*:*",
              "matchCriteriaId": "FD0D1CCC-A857-4C15-899E-08F9255CEE34",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.12:*:*:*:*:*:*:*",
              "matchCriteriaId": "6745CC43-2836-4CD8-848F-EEA08AE9D5AC",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.13:*:*:*:*:*:*:*",
              "matchCriteriaId": "7BEB6696-14F9-4D9B-9974-B682FFBB828E",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.14:*:*:*:*:*:*:*",
              "matchCriteriaId": "04146390-021D-4147-9830-9EAA90D120A7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.15:*:*:*:*:*:*:*",
              "matchCriteriaId": "5B124547-DC1D-4A92-B8AB-8A1900063786",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.16:*:*:*:*:*:*:*",
              "matchCriteriaId": "F45B2127-CF3D-4D59-9042-AE6DF2908319",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.17:*:*:*:*:*:*:*",
              "matchCriteriaId": "29A450E3-931F-4487-A76D-80A38210297A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.18:*:*:*:*:*:*:*",
              "matchCriteriaId": "C099A0C4-883D-42ED-8359-FFD3ADD692A3",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.19:*:*:*:*:*:*:*",
              "matchCriteriaId": "ABD07432-5A23-491E-892E-42F0F58307D0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.0.20:*:*:*:*:*:*:*",
              "matchCriteriaId": "19627ECC-9342-4917-8FCC-7757339E3242",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.1.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "0C68AA43-ED90-4B98-A5F8-4E210C2CC7CD",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.1.1:*:*:*:*:*:*:*",
              "matchCriteriaId": "2466D297-9442-40B0-A1A7-F9D166396CF8",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.1.2:*:*:*:*:*:*:*",
              "matchCriteriaId": "EADBF7EE-18DC-49F9-BF2F-A09BBAE76F45",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.1.3:*:*:*:*:*:*:*",
              "matchCriteriaId": "1726E9B6-A7FA-402B-A911-0CE81C623087",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.1.4:*:*:*:*:*:*:*",
              "matchCriteriaId": "C3670FF7-2CA3-41A4-92FE-0123497E4E87",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.1.5:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C22CE03-DFE5-4CD3-B229-10B219A55434",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:php:php:7.1.6:*:*:*:*:*:*:*",
              "matchCriteriaId": "C258AF27-84DF-4FC3-A651-1349BB567FB9",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission."
    },
    {
      "lang": "es",
      "value": "En PHP, en versiones anteriores a la 5.6.31, las versiones 7.x anteriores a la 7.0.21 y las versiones 7.1.x anteriores a la 7.1.7, el c\u00f3digo de sellado PEM de la extensi\u00f3n openssl no comprob\u00f3 el valor de retorno de la funci\u00f3n de sellado de OpenSSL, lo que podr\u00eda conducir al cierre inesperado del int\u00e9rprete de PHP. Esto est\u00e1 relacionado con un conflicto de interpretaci\u00f3n para un n\u00famero negativo en ext/openssl/openssl.c y una omisi\u00f3n de documentaci\u00f3n OpenSSL."
    }
  ],
  "id": "CVE-2017-11144",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "MEDIUM",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 5.0,
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ],
    "cvssMetricV30": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
          "version": "3.0"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-07-10T14:29:00.620",
  "references": [
    {
      "source": "cve@mitre.org",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=73cabfedf519298e1a11192699f44d53c529315e"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=89637c6b41b510c20d262c17483f582f115c66d6"
    },
    {
      "source": "cve@mitre.org",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=91826a311dd37f4c4e5d605fa7af331e80ddd4c3"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Mailing List"
      ],
      "url": "http://openwall.com/lists/oss-security/2017/07/10/6"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "http://php.net/ChangeLog-5.php"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "http://php.net/ChangeLog-7.php"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://access.redhat.com/errata/RHSA-2018:1296"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://bugs.php.net/bug.php?id=74651"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://security.netapp.com/advisory/ntap-20180112-0001/"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.debian.org/security/2018/dsa-4080"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.debian.org/security/2018/dsa-4081"
    },
    {
      "source": "cve@mitre.org",
      "url": "https://www.tenable.com/security/tns-2017-12"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=73cabfedf519298e1a11192699f44d53c529315e"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=89637c6b41b510c20d262c17483f582f115c66d6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=91826a311dd37f4c4e5d605fa7af331e80ddd4c3"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Mailing List"
      ],
      "url": "http://openwall.com/lists/oss-security/2017/07/10/6"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "http://php.net/ChangeLog-5.php"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Release Notes",
        "Vendor Advisory"
      ],
      "url": "http://php.net/ChangeLog-7.php"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2018:1296"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://bugs.php.net/bug.php?id=74651"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20180112-0001/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.debian.org/security/2018/dsa-4080"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.debian.org/security/2018/dsa-4081"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://www.tenable.com/security/tns-2017-12"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-754"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.