K17313 : PHP vulnerability CVE-2014-4721

Security Advisory Description

The phpinfo implementation in ext/standard/info.c in PHP before 5.4.30 and 5.5.x before 5.5.14 does not ensure use of the string data type for the PHP_AUTH_PW, PHP_AUTH_TYPE, PHP_AUTH_USER, and PHP_SELF variables, which might allow context-dependent attackers to obtain sensitive information from process memory by using the integer data type with crafted values, related to a “type confusion” vulnerability, as demonstrated by reading a private SSL key in an Apache HTTP Server web-hosting environment with mod_ssl and a PHP 5.3.x mod_php. (CVE-2014-4721)
Impact
This vulnerability may allow the unauthorized disclosure of information. However, while the vulnerable code exists in F5 systems, the relevant functions are not used by default. Additionally, any attack would need to be sourced locally from the shell, which means an attacker likely already has a granted role with the same permissions as a root user. This is a low risk item.