CVE-2017-11144

HIGH

PHP < 5.6.31, 7.x < 7.0.21, 7.1.x < 7.1.7 - Denial of Service via OpenSSL PEM Sealing

Title source: llm
STIX 2.1

Description

In PHP before 5.6.31, 7.x before 7.0.21, and 7.1.x before 7.1.7, the openssl extension PEM sealing code did not check the return value of the OpenSSL sealing function, which could lead to a crash of the PHP interpreter, related to an interpretation conflict for a negative number in ext/openssl/openssl.c, and an OpenSSL documentation omission.

References (12)

Core 12
Core References
Mailing List x_refsource_confirm
http://openwall.com/lists/oss-security/2017/07/10/6
Third Party Advisory x_refsource_confirm
https://www.tenable.com/security/tns-2017-12
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2018:1296
Release Notes, Vendor Advisory x_refsource_confirm
http://php.net/ChangeLog-5.php
Vendor Advisory x_refsource_confirm
https://security.netapp.com/advisory/ntap-20180112-0001/
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4081
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2018/dsa-4080
Release Notes, Vendor Advisory x_refsource_confirm
http://php.net/ChangeLog-7.php
Third Party Advisory x_refsource_confirm
https://bugs.php.net/bug.php?id=74651

Scores

CVSS v3 7.5
EPSS 0.4070
EPSS Percentile 97.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-754
Status published
Products (29)
php/php 7.0.0
php/php 7.0.1
php/php 7.0.2
php/php 7.0.3
php/php 7.0.4
php/php 7.0.5
php/php 7.0.6
php/php 7.0.7
php/php 7.0.8
php/php 7.0.9
... and 19 more
Published Jul 10, 2017
Tracked Since Feb 18, 2026