[R5] Tenable Products Affected by PHP < 5.5.21 / 5.4.37 Vulnerabilities

PHP contains a use-after-free error in the process_nested_data() function in ext/standard/var_unserializer.re. With specially crafted input passed to the unserialize() method, a remote attacker can dereference already freed memory and potentially execute arbitrary code. (CVE-2014-8142 / CVE-2015-0231) PHP contains a flaw in the exif_process_unicode() function in ext/exif/exif.c when parsing JPEG EXIF entries. This may allow a remote attacker to trigger freeing of an uninitialized pointer, causing a crash or potentially execution of arbitrary code. (CVE-2015-0232) PHP contains a flaw in the main() function in sapi/cgi/cgi_main.c that is triggered when handling input consisting solely of a single "#" character. With a specially crafted PHP file, a remote attacker can cause a crash or potentially disclose memory contents. (CVE-2014-9427) The process_nested_data() function is used within Tenable's SecurityCenter, but is only exposed to authenticated users. Note that the affiliated CVSSv2 score is specific to the PHP implementation within SecurityCenter and the process_nested_data() issue. Please note that Tenable strongly recommends that SecurityCenter and the Tenable Appliance be installed on a subnet that is not Internet addressable.