#VU16084 Denial of service in PHP - CVE-2014-0237


Vulnerability identifier: #VU16084

Vulnerability risk: Low

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2014-0237

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
PHP
Universal components / Libraries / Scripting languages

Vendor: PHP Group

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists in cdf_unpack_summary_info function in cdf.c in the Fileinfo component in PHP before 5.4.29 and 5.5.x before 5.5.13 due to performance degradation. A remote attacker can trigger many file_printf calls and cause the service to crash.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

PHP: 5.4.0 - 5.4.28, 5.5.0 - 5.5.12

External links
https://bugs.php.net/bug.php?id=67328

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Ubuntu update for PHP
Amazon Linux AMI update for php
Amazon Linux AMI update for file
SUSE Linux update for php53
Amazon Linux AMI update for php55
Amazon Linux AMI update for php54
Denial of service in php (Alpine package)
Slackware Linux update for php