CVE-2015-8866

Description

ext/libxml/libxml.c in PHP before 5.5.22 and 5.6.x before 5.6.6, when PHP-FPM is used, does not isolate each thread from libxml_disable_entity_loader changes in other threads, which allows remote attackers to conduct XML External Entity (XXE) and XML Entity Expansion (XEE) attacks via a crafted XML document, a related issue to CVE-2015-5161.

CVSS Metrics

• v3.1•CRITICAL•Score: 9.6CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
• v2.0•MEDIUM•Score: 6.8AV:N/AC:M/Au:N/C:P/I:P/A:P

EPSS Trends

Current EPSS score: 3.53%• Percentile: 88%

Techniques & Countermeasures

• CWE-611•Improper Restriction of XML External Entity Reference

  The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Affected Systems

• canonical•ubuntu_linux

  12.04 | 14.04 | 15.10

• opensuse•leap

  42.1

• opensuse•opensuse

  13.2

• Unknown•PHP

  ≥ 5.5.0, < 5.5.22 | ≥ 5.6.0, < 5.6.6 | ≥ 7.0.0, < 7.0.27 | ≥ 7.1.0, < 7.1.13 | ≥ 7.2.0, < 7.2.1

• suse•linux_enterprise_module_for_web_scripting

  12

• suse•linux_enterprise_software_development_kit

  12 | 12:sp1

References (12)

• http://www.ubuntu.com/usn/USN-2952-1
• http://git.php.net/?p=php-src.git%3Ba=commit%3Bh=de31324c221c1791b26350ba106cc26bad23ace9
• https://bugs.launchpad.net/ubuntu/+source/php5/+bug/1509817
• http://rhn.redhat.com/errata/RHSA-2016-2750.html
• http://www.ubuntu.com/usn/USN-2952-2
• http://www.php.net/ChangeLog-5.php
• https://bugs.php.net/bug.php?id=64938
• http://www.securityfocus.com/bid/87470
• http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00031.html
• http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00033.html
• http://www.openwall.com/lists/oss-security/2016/04/24/1
• http://lists.opensuse.org/opensuse-security-announce/2016-05/msg00056.html