SecurityCenter is impacted by one vulnerability in PHP that was recently disclosed and fixed. CVE-2014-3669: PHP contains an integer overflow condition in the object_custom() function in ext/standard/var_unserializer.re that is triggered when serializing user-supplied input. With specially crafted input, a remote attacker can cause a crash. Note that this vulnerability only impacts 32-bit versions. Customers who use the 64-bit version are not affected. In addition to the issue above, two additional vulnerabilities were patched by the PHP team. SecurityCenter does not use the module related to the XMLRPC calls (CVE-2014-3668) so it is not affected. SecurityCenter also does not use the exif_thumbnail function (CVE-2014-3670) so it is not affected by this either. Please note that Tenable strongly recommends that SecurityCenter be installed on a subnet that is not Internet addressable.
Vulmon