CVE-2014-2682

Name of the Vulnerable Software and Affected Versions Zend Framework 1 versions 1.12.3 and earlier Zend Framework 2 versions 2.1.5 and earlier, 2.2.x versions 2.2.5 and earlier ZendOpenId version 2.0.1 and earlier ZendRest version 2.0.1 and earlier ZendService AudioScrobbler version 2.0.1 and earlier ZendService Nirvanix version 2.0.1 and earlier ZendService SlideShare version 2.0.1 and earlier ZendService Technorati version 2.0.1 and earlier ZendService WindowsAzure version 2.0.1 and earlier ZendService Amazon version 2.0.2 and earlier ZendService Api version 0.9.9 and earlier

Description The issue is related to the improper sharing of the libxml disable entity loader setting between threads when PHP-FPM is used. This might allow remote attackers to conduct XML External Entity (XXE) attacks via an XML external entity declaration in conjunction with an entity reference.

Recommendations For Zend Framework 1 versions 1.12.3 and earlier, update to version 1.12.4 or later. For Zend Framework 2 versions 2.1.5 and earlier, update to version 2.1.6 or later. For Zend Framework 2 versions 2.2.x 2.2.5 and earlier, update to version 2.2.6 or later. For ZendOpenId version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendRest version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService AudioScrobbler version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Nirvanix version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService SlideShare version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Technorati version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService WindowsAzure version 2.0.1 and earlier, update to version 2.0.2 or later. For ZendService Amazon version 2.0.2 and earlier, update to version 2.0.3 or later. For ZendService Api version 0.9.9 and earlier, update to version 1.0.0 or later.