Tenable's SecurityCenter is affected by several vulnerabilities due to the use of third-party libraries, specifically Apache HTTP Server and PHP. CVE-2014-3515 - PHP unserialize() Call SPL ArrayObject / SPLObjectStorage Type Confusion Remote Code Execution PHP contains an type confusion flaw that is triggered when performing an unserialize() call to SPL ArrayObject or SPLObjectStorage in the SPL component. This may allow a remote attacker with the ability to pass data to these handlers to cause a denial of service or potentially execute arbitrary code. Note that you must be logged in with a SecurityCenter user account and authenticated with proper privileges in order to leverage the API in a fashion to exploit this vulnerability. Also note that additional PHP vulnerabilities affiliated with the two listed above do not affect SecurityCenter. These include CVE-2014-0207, CVE-2014-3478, CVE-2014-3479, CVE-2014-3480, CVE-2014-3487, CVE-2014-3981, CVE-2014-4049, and CVE-2014-3981. CVE-2014-0098 - Apache HTTP Server mod_log_config Module mod_log_config.c log_cookie Function Malformed Cookie Handling Remote DoS Apache HTTP Server contains a flaw in the mod_log_config module that is triggered when logging a cookie with an unassigned value. With a specially crafted request, a remote attacker can cause the service to crash. Note that the CVSSv2 score reflects CVE-2014-0098, the highest of the two. Further, Tenable strongly recommends that SecurityCenter and the Appliance be installed on a subnet that is not Internet addressable. Originally, we reported that SecurityCenter was vulnerable to CVE-2014-4049 due to a cursory analysis. Subsequent examination indicates that it is not affected